CVE-2019-18888

Source
https://nvd.nist.gov/vuln/detail/CVE-2019-18888
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18888.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2019-18888
Aliases
Related
Published
2019-11-21T23:15:13Z
Modified
2024-09-18T03:04:40.405710Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

References

Affected packages

Debian:11 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.3.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/symfony/security-http

Affected ranges

Type
GIT
Repo
https://github.com/symfony/security-http
Events
Type
GIT
Repo
https://github.com/symfony/symfony
Events

Affected versions

v3.*

v3.4.29
v3.4.30
v3.4.31
v3.4.32
v3.4.33
v3.4.34
v3.4.35

v4.*

v4.2.10
v4.2.11
v4.3.0
v4.3.0-RC1
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7