Published: 21/11/2019 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

An issue exists in Symfony 3.4.0 up to and including 3.4.34, 4.2.0 up to and including 4.2.11, and 4.3.0 up to and including 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

Vulnerable Product	Search on Vulmon	Subscribe to Product
sensiolabs symfony
fedoraproject fedora 31

Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization For the oldstable distribution (stretch), these problems have been fixed in version 287+dfsg-13+deb9u3 For the stable distribution (buster), these problems have be ...

Phar Deserialization Exploit on CVE-2019-18889 Sample This is a sample how to exploit insecure phar deserialization with payload in a phar archive Installation Simply run composer install in command line Make sure pharreadonly = Off in the phpini to be able to generate phar archive This parameter can be Off on the machine where phar archive will be exploited How to use Ru

CWE-94 https://github.com/symfony/symfony/releases/tag/v4.3.8 https://symfony.com/blog/symfony-4-3-8-released https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/https://nvd.nist.gov https://www.debian.org/security/2019/dsa-4573

CVE-2019-18889

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect