VDB
CVE-2019-18888
CVE-2019-18888
PUBLISHED
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
EPSS 2.31% · 85.1th percentile
Risk Scores
EPSS Score
2.31%
85.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:18.04:LTS | symfony | 0, 2.8.7+dfsg-1.3ubuntu1, 3.4.3+dfsg-1ubuntu4 |
| Ubuntu:16.04:LTS | symfony | 0, 2.7.1+dfsg-1, 2.7.5+dfsg-1 |
Exploit Intelligence
- https://symfony.com/blog/symfony-4-3-8-released (circl)
- https://github.com/symfony/symfony/releases/tag/v4.3.8 (circl)
- https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser (circl)
- FEDORA-2019-9c2ad3b018 (circl)
- FEDORA-2019-5ae4fd9203 (circl)
- FEDORA-2019-8b0ba02338 (circl)
Timeline
- Nov 21, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-18888 third-party-advisory
- https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser third-party-advisory
- https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365 third-party-advisory
- https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-18888 third-party-advisory