CVE-2019-10912 — Deserialization of Untrusted Data in Symfony
Severity
7.1HIGHNVD
EPSS
1.1%
top 21.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 16
Latest updateFeb 12
Description
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:NExploitability: 2.8 | Impact: 4.2
Affected Packages7 packages
Patches
🔴Vulnerability Details
4📋Vendor Advisories
1Debian▶
CVE-2019-10912: symfony - In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before...↗2019
💬Community
6Bugzilla▶
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [epel-all]↗2019-06-12
Bugzilla▶
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7↗2019-06-12
Bugzilla▶
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]↗2019-06-12
Bugzilla▶
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony4: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]↗2019-06-12
Bugzilla▶
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony3: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]↗2019-06-12