CVE-2019-18888

HIGH

Symfony 2.8.0-2.8.50, 3.4.0-3.4.34, 4.2.0-4.2.11, 4.3.0-4.3.7 - Argument Injection via MIME Type Validation

Title source: llm

Description

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

References (6)

Core 6

Core References

Release Notes x_refsource_confirm

https://symfony.com/blog/symfony-4-3-8-released

Release Notes x_refsource_confirm

https://github.com/symfony/symfony/releases/tag/v4.3.8

Vendor Advisory x_refsource_confirm

https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/

Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/

Scores

CVSS v3 7.5

EPSS 0.0225

EPSS Percentile 80.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-88

Status published

Products (6)

fedoraproject/fedora 30

fedoraproject/fedora 31

sensiolabs/symfony 2.8.0 - 2.8.50

symfony/http-foundation 2.0.0 - 2.8.52Packagist

symfony/mime 4.3.0 - 4.3.8Packagist

symfony/symfony 2.0.0 - 2.8.52Packagist

Published Nov 21, 2019

Tracked Since Feb 18, 2026