CVE-2019-18889
Symfony Unsafe Cache Serialization Could Enable RCE
9.8
CRITICAL
CVSS 3.1
EPSS 5.1%
Description
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
How to fix CVE-2019-18889
To remediate CVE-2019-18889, upgrade the affected package to a fixed version below.
- Debian/symfony—upgrade to 4.3.8+dfsg-1 or later
- —upgrade to 3.4.35 or later
- —upgrade to 3.4.35 or later
Is CVE-2019-18889 being exploited?
Moderate — EPSS is 5.1%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (3)
- from 0, < 4.3.8+dfsg-1
- >= 3.1.0, < 3.4.35
- >= 3.1.0, < 3.4.35
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |