Описание
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| symfony | fixed | 4.3.8+dfsg-1 | package | |
| symfony | fixed | 3.4.22+dfsg-2+deb10u1 | buster | package |
| symfony | not-affected | stretch | package | |
| symfony | not-affected | jessie | package |
Примечания
https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a
EPSS
Связанные уязвимости
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
Symfony Unsafe Cache Serialization Could Enable RCE
Уязвимость программной платформы для разработки и управления веб-приложениями Symfony, существующая из-за непринятия мер по нейтрализации специальных элементов, позволяющая нарушителю внедрить произвольный код
EPSS