CVE-2019-10912
HIGHSensiolabs Symfony < 2.8.50 - Insecure Deserialization
Title source: ruleDescription
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
References (13)
Core 13
Core References
Third Party Advisory x_refsource_confirm
https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU/
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4441
Mailing List mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/May/21
Patch, Third Party Advisory x_refsource_confirm
https://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b
Vendor Advisory x_refsource_confirm
https://typo3.org/security/advisory/typo3-core-sa-2019-016/
Scores
CVSS v3
7.1
EPSS
0.0112
EPSS Percentile
78.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Details
CWE
CWE-502
Status
published
Products (6)
sensiolabs/symfony
2.8.0 - 2.8.50
symfony/cache
3.1.0 - 3.4.26Packagist
symfony/phpunit-bridge
2.8.0 - 2.8.50Packagist
symfony/symfony
2.8.0 - 2.8.50Packagist
typo3/cms
9.0.0 - 9.5.8Packagist
typo3/cms-core
9.0.0 - 9.5.8Packagist
Published
May 16, 2019
Tracked Since
Feb 18, 2026