CVE-2019-18888

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2019-18888
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18888.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-18888
Aliases
Downstream
Published
2019-11-21T23:15:13.530Z
Modified
2026-04-10T04:16:40.909351Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
5615b92cd452cd54f1433a3f53de87c096a1107f
Last affected
2ef4e09343bdbdee0a7968f58b8ec594ce0aa47d
Introduced
0a47db379b8cc74cdd84e1e6870fafc4a4ac8351
Last affected
c461582064eabe9b93b225be589dd6740620ce0f
Introduced
7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483
Last affected
2ba6f17744ee8649ac107039f64d1ee4c959bf32
Introduced
0bf8d128ef3c492436ab5f1b7c7b130f9e96aad2
Last affected
fb4065ac95f08ca26ee605936e537ba2cd4a6bb7
Fixed
87fb08703e62882a7a6fdb17672070e0ee12dd65
Database specific 
{
    "versions": [
        {
            "introduced": "2.8.0"
        },
        {
            "last_affected": "2.8.50"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "last_affected": "3.4.34"
        },
        {
            "introduced": "4.2.0"
        },
        {
            "last_affected": "4.2.11"
        },
        {
            "introduced": "4.3.0"
        },
        {
            "last_affected": "4.3.7"
        }
    ]
}

Affected versions

v2.*
v2.8.0
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.26
v2.8.27
v2.8.28
v2.8.29
v2.8.3
v2.8.30
v2.8.31
v2.8.32
v2.8.33
v2.8.34
v2.8.35
v2.8.36
v2.8.37
v2.8.38
v2.8.39
v2.8.4
v2.8.40
v2.8.41
v2.8.42
v2.8.43
v2.8.44
v2.8.45
v2.8.46
v2.8.47
v2.8.48
v2.8.49
v2.8.5
v2.8.50
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.4.0
v3.4.1
v3.4.10
v3.4.11
v3.4.12
v3.4.13
v3.4.14
v3.4.15
v3.4.16
v3.4.17
v3.4.18
v3.4.19
v3.4.2
v3.4.20
v3.4.21
v3.4.22
v3.4.23
v3.4.24
v3.4.25
v3.4.26
v3.4.27
v3.4.28
v3.4.29
v3.4.3
v3.4.30
v3.4.31
v3.4.32
v3.4.33
v3.4.34
v3.4.4
v3.4.5
v3.4.6
v3.4.7
v3.4.8
v3.4.9
v4.*
v4.2.0
v4.2.1
v4.2.10
v4.2.11
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "30"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "31"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18888.json"