cbcvebase.
CVE-2019-18889
published 2019-11-21

CVE-2019-18889: An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could…

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
33.25%
98.2th percentile
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

Affected

15 ranges
VendorProductVersion rangeFixed in
debiansymfony< symfony 4.3.8+dfsg-1 (bookworm)symfony 4.3.8+dfsg-1 (bookworm)
fedoraprojectfedora
sensiolabssymfony3.4.0 – 3.4.34
sensiolabssymfony4.2.0 – 4.2.11
sensiolabssymfony4.3.0 – 4.3.7
symfonycache>= 3.1.0 < 3.4.353.4.35
symfonycache>= 4.0.0 < 4.2.124.2.12
symfonycache>= 4.3.0 < 4.3.84.3.8
symfonysymfony>= 0 < 4.3.8+dfsg-14.3.8+dfsg-1
symfonysymfony>= 0 < 4.3.8+dfsg-14.3.8+dfsg-1
symfonysymfony>= 0 < 4.3.8+dfsg-14.3.8+dfsg-1
symfonysymfony>= 0 < 4.3.8+dfsg-14.3.8+dfsg-1
symfonysymfony>= 3.1.0 < 3.4.353.4.35
symfonysymfony>= 4.0.0 < 4.2.124.2.12
symfonysymfony>= 4.3.0 < 4.3.84.3.8

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability exists in symfony/cache component; monitor for unexpected serialization/deserialization of cache adapter interfaces in Symfony applications, which could indicate exploitation of this RCE vector.
  • ·Affected versions are Symfony 3.4.0–3.4.34, 4.2.0–4.2.11, and 4.3.0–4.3.7; fixed in 4.3.8 (Debian package 4.3.8+dfsg-1).
  • ·Debian distributions (bookworm, bullseye, forky, sid, trixie) have all resolved this via the 4.3.8+dfsg-1 package.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.