7.1

CVE-2019-10912

EPSS 1.16%
Veröffentlicht 16.05.2019 22:29:00
Zuletzt bearbeitet 21.11.2024 04:20:08
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 16

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sensiolabs ≫ Symfony Version >= 2.8.0 < 2.8.50

Sensiolabs ≫ Symfony Version >= 3.4.0 < 3.4.26

Sensiolabs ≫ Symfony Version >= 4.1.0 < 4.1.12

Sensiolabs ≫ Symfony Version >= 4.2.0 < 4.2.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.16%	0.779

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.1	2.8	4.2	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://seclists.org/bugtraq/2019/May/21

https://www.debian.org/security/2019/dsa-4441

https://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b

Patch

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD/

https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized

Third Party Advisory

https://typo3.org/security/advisory/typo3-core-sa-2019-016/

https://nvd.nist.gov/vuln/detail/CVE-2019-10912

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-10912

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-10912

EUVD