CVE-2019-18889
CRITICALSymfony 3.4.0-3.4.34, 4.2.0-4.2.11, 4.3.0-4.3.7 - Remote Code Execution via Cache Adapter Serialization
Title source: llmDescription
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
References (4)
Core 4
Core References
Release Notes x_refsource_confirm
https://symfony.com/blog/symfony-4-3-8-released
Release Notes x_refsource_confirm
https://github.com/symfony/symfony/releases/tag/v4.3.8
Vendor Advisory x_refsource_confirm
https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
Scores
CVSS v3
9.8
EPSS
0.3325
EPSS Percentile
98.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (4)
fedoraproject/fedora
31
sensiolabs/symfony
3.4.0 - 3.4.34
symfony/cache
3.1.0 - 3.4.35Packagist
symfony/symfony
3.1.0 - 3.4.35Packagist
Published
Nov 21, 2019
Tracked Since
Feb 18, 2026