CVE-2019-10912

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

Published: May 17, 2019
Updated: Nov 8, 2023
CVE: CVE-2019-10912
GHSA: GHSA-w2fr-65vp-mxw3
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.1
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-502

OWASP TOP 10:

A8 - Insecure Deserialization

Affected Software
References

Software	From	Fixed in
sensiolabs / symfony	4.2.0	4.2.7
sensiolabs / symfony	4.1.0	4.1.12
sensiolabs / symfony	3.4.0	3.4.26
sensiolabs / symfony	2.8.0	2.8.50
symfony / cache	3.1.0	3.4.26
symfony / cache	4.0.0	4.1.12
symfony / cache	4.2.0	4.2.7
symfony / phpunit-bridge	2.8.0	2.8.50
symfony / phpunit-bridge	3.0.0	3.4.26
symfony / phpunit-bridge	4.0.0	4.1.12
symfony / phpunit-bridge	4.2.0	4.2.7
symfony / symfony	2.8.0	2.8.50
symfony / symfony	3.0.0	3.4.26
symfony / symfony	4.0.0	4.1.12
symfony / symfony	4.2.0	4.2.7

Vulnerability Database

289,599

CVE-2019-10912