CVE-2019-18889
published 2019-11-21CVE-2019-18889: An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could…
PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
33.25%
98.2th percentile
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | symfony | < symfony 4.3.8+dfsg-1 (bookworm) | symfony 4.3.8+dfsg-1 (bookworm) |
| fedoraproject | fedora | — | — |
| sensiolabs | symfony | 3.4.0 – 3.4.34 | — |
| sensiolabs | symfony | 4.2.0 – 4.2.11 | — |
| sensiolabs | symfony | 4.3.0 – 4.3.7 | — |
| symfony | cache | >= 3.1.0 < 3.4.35 | 3.4.35 |
| symfony | cache | >= 4.0.0 < 4.2.12 | 4.2.12 |
| symfony | cache | >= 4.3.0 < 4.3.8 | 4.3.8 |
| symfony | symfony | >= 0 < 4.3.8+dfsg-1 | 4.3.8+dfsg-1 |
| symfony | symfony | >= 0 < 4.3.8+dfsg-1 | 4.3.8+dfsg-1 |
| symfony | symfony | >= 0 < 4.3.8+dfsg-1 | 4.3.8+dfsg-1 |
| symfony | symfony | >= 0 < 4.3.8+dfsg-1 | 4.3.8+dfsg-1 |
| symfony | symfony | >= 3.1.0 < 3.4.35 | 3.4.35 |
| symfony | symfony | >= 4.0.0 < 4.2.12 | 4.2.12 |
| symfony | symfony | >= 4.3.0 < 4.3.8 | 4.3.8 |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability exists in symfony/cache component; monitor for unexpected serialization/deserialization of cache adapter interfaces in Symfony applications, which could indicate exploitation of this RCE vector. ↗
- ·Affected versions are Symfony 3.4.0–3.4.34, 4.2.0–4.2.11, and 4.3.0–4.3.7; fixed in 4.3.8 (Debian package 4.3.8+dfsg-1). ↗
- ·Debian distributions (bookworm, bullseye, forky, sid, trixie) have all resolved this via the 4.3.8+dfsg-1 package. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Symfony Unsafe Cache Serialization Could Enable RCE
ghsa·2019-12-02
CVE-2019-18889 [CRITICAL] CWE-94 Symfony Unsafe Cache Serialization Could Enable RCE
Symfony Unsafe Cache Serialization Could Enable RCE
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
OSV
Symfony Unsafe Cache Serialization Could Enable RCE
osv·2019-12-02
CVE-2019-18889 [CRITICAL] Symfony Unsafe Cache Serialization Could Enable RCE
Symfony Unsafe Cache Serialization Could Enable RCE
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
OSV
CVE-2019-18889: An issue was discovered in Symfony 3
osv·2019-11-21·CVSS 9.8
CVE-2019-18889 [CRITICAL] CVE-2019-18889: An issue was discovered in Symfony 3
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Debian
CVE-2019-18889: symfony - An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, a...
vendor_debian·2019·CVSS 9.8
CVE-2019-18889 [CRITICAL] CVE-2019-18889: symfony - An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, a...
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Scope: local
bookworm: resolved (fixed in 4.3.8+dfsg-1)
bullseye: resolved (fixed in 4.3.8+dfsg-1)
forky: resolved (fixed in 4.3.8+dfsg-1)
sid: resolved (fixed in 4.3.8+dfsg-1)
trixie: resolved (fixed in 4.3.8+dfsg-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/symfony/symfony/releases/tag/v4.3.8https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instanceshttps://symfony.com/blog/symfony-4-3-8-releasedhttps://github.com/symfony/symfony/releases/tag/v4.3.8https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instanceshttps://symfony.com/blog/symfony-4-3-8-released
2019-11-21
Published