Arbitrary Argument Injection in Symfony HTTP Foundation and Mime
CVE-2019-18888

7.5HIGH

Key Information:

Vendor

Sensiolabs

Status
Symfony
Vendor
CVE Published:
21 November 2019

What is CVE-2019-18888?

A vulnerability exists in Symfony versions ranging from 2.8.0 to 2.8.50, 3.4.0 to 3.4.34, and 4.2.0 to 4.2.11 due to improper validation of user input used for MIME type checks. If unvalidated input is supplied as the file argument for MIME type validation, it can allow an attacker to inject arbitrary arguments into the underlying file command, potentially leading to unauthorized code execution or other security breaches.

References

https://symfony.com/blog/symfony-4-3-8-released
x_refsource_CONFIRM
https://github.com/symfony/symfony/releases/tag/v4.3.8
x_refsource_CONFIRM
https://symfony.com/blog/cve-2019-18888-prevent-argument-...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.