Remote Code Injection Vulnerability in Symfony Cache Adapter
CVE-2019-18889

9.8CRITICAL

Key Information:

Vendor
Sensiolabs
Status
Symfony
Vendor
CVE Published:
21 November 2019

Summary

A vulnerability exists in Symfony versions from 3.4.0 to 3.4.34, 4.2.0 to 4.2.11, and 4.3.0 to 4.3.7 where the serialization of specific cache adapter interfaces could lead to remote code injection. This issue is closely linked to the symfony/cache component and may expose systems to unauthorized access or malicious code execution. Users are advised to update to the latest version to mitigate this risk.

References

https://symfony.com/blog/symfony-4-3-8-released
x_refsource_CONFIRM
https://github.com/symfony/symfony/releases/tag/v4.3.8
x_refsource_CONFIRM
https://symfony.com/blog/cve-2019-18889-forbid-serializin...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-18889 : Remote Code Injection Vulnerability in Symfony Cache Adapter | SecurityVulnerability.io