VDB
CVE-2019-18889
CVE-2019-18889
PUBLISHED
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.
EPSS 5.13% · 90.0th percentile
Risk Scores
EPSS Score
5.13%
90.0th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | symfony | 0, 2.7.1+dfsg-1, 2.7.5+dfsg-1 |
| Ubuntu:Pro:18.04:LTS | symfony | 0, *, 3.4.3+dfsg-1ubuntu4 |
Exploit Intelligence
Timeline
- Nov 21, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-18889 third-party-advisory
- https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances third-party-advisory
- https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-18889 third-party-advisory