Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-4441.NASL
HistoryMay 13, 2019 - 12:00 a.m.

Debian DSA-4441-1 : symfony - security update

2019-05-1300:00:00
This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17
JSON

Multiple vulnerabilities were discovered in the Symfony PHP framework which could lead to cache bypass, authentication bypass, information disclosure, open redirect, cross-site request forgery, deletion of arbitrary files, or arbitrary code execution.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-4441. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(124779);
  script_version("1.3");
  script_cvs_date("Date: 2020/01/21");

  script_cve_id("CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-10912", "CVE-2019-10913");
  script_xref(name:"DSA", value:"4441");

  script_name(english:"Debian DSA-4441-1 : symfony - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Multiple vulnerabilities were discovered in the Symfony PHP framework
which could lead to cache bypass, authentication bypass, information
disclosure, open redirect, cross-site request forgery, deletion of
arbitrary files, or arbitrary code execution."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://security-tracker.debian.org/tracker/source-package/symfony"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/stretch/symfony"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://www.debian.org/security/2019/dsa-4441"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the symfony packages.

For the stable distribution (stretch), these problems have been fixed
in version 2.8.7+dfsg-1.3+deb9u2."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:symfony");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/08/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/13");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"9.0", prefix:"php-symfony", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-asset", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-browser-kit", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-class-loader", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-config", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-console", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-css-selector", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-debug", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-debug-bundle", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-dependency-injection", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-doctrine-bridge", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-dom-crawler", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-event-dispatcher", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-expression-language", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-filesystem", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-finder", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-form", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-framework-bundle", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-http-foundation", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-http-kernel", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-intl", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-ldap", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-locale", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-monolog-bridge", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-options-resolver", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-phpunit-bridge", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-process", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-property-access", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-property-info", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-proxy-manager-bridge", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-routing", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-security", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-security-bundle", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-security-core", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-security-csrf", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-security-guard", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-security-http", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-serializer", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-stopwatch", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-swiftmailer-bridge", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-templating", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-translation", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-twig-bridge", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-twig-bundle", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-validator", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-var-dumper", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-web-profiler-bundle", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;
if (deb_check(release:"9.0", prefix:"php-symfony-yaml", reference:"2.8.7+dfsg-1.3+deb9u2")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
VendorProductVersionCPE
debiandebian_linuxsymfonyp-cpe:/a:debian:debian_linux:symfony
debiandebian_linux9.0cpe:/o:debian:debian_linux:9.0

Related

debian 4
openvas 31
osv 18
nessus 30
fedora 25
freebsd 2
drupal 3
ibm 2
thn 2
symfony 8
veracode 8
prion 8
debiancve 8
cve 8
ubuntucve 8
github 7
typo3 1
redhatcve 1
debian
debian
[SECURITY] [DSA 4441-1] symfony security update
2019-05-10 06:26:19
[SECURITY] [DSA 4441-1] symfony security update
2019-05-10 06:26:19
[SECURITY] [DLA 1778-1] symfony security update
2019-05-06 19:15:39
openvas
openvas
Debian Security Advisory DSA 4441-1 (symfony - security update)
2019-05-11 00:00:00
Symfony 2.7.x < 2.7.51, 2.8.x < 2.8.50, 3.x < 3.4.26, 4.x < 4.1.12, 4.2.x < 4.2.7 Multiple Vulnerabilities
2019-05-20 00:00:00
Debian LTS: Security Advisory for symfony (DLA-1778-1)
2019-05-07 00:00:00
osv
osv
symfony - security update
2019-05-10 00:00:00
symfony - security update
2019-05-06 00:00:00
symfony - security update
2019-03-09 00:00:00
nessus
nessus
Fedora 29 : php-symfony (2019-f8db687840)
2019-04-29 00:00:00
Fedora 28 : php-symfony3 (2019-2a7f472198)
2019-04-29 00:00:00
Fedora 29 : php-symfony4 (2019-32067d8b15)
2019-04-29 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: php-symfony-2.8.51-1.fc29
2019-04-27 23:12:01
[SECURITY] Fedora 29 Update: php-symfony4-4.1.12-1.fc29
2019-04-27 23:12:03
[SECURITY] Fedora 30 Update: php-symfony-2.8.51-1.fc30
2019-04-27 21:35:08
freebsd
freebsd
drupal -- Drupal core - Moderately critical
2019-04-17 00:00:00
TYPO3 -- multiple vulnerabilities
2019-06-28 00:00:00
drupal
drupal
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
2019-04-17 00:00:00
Drupal Core - 3rd-party libraries -SA-CORE-2018-005
2018-08-01 00:00:00
Drupal Core - 3rd-party libraries -SA-CORE-2018-005
2018-08-01 00:00:00
ibm
ibm
Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in Drupal core (CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-11358)
2019-05-31 13:40:01
Security Bulletin: IBM API Connect is impacted by a Drupal 8 vulnerability (CVE-2018-14773)
2018-08-23 16:19:33
thn
thn
Drupal Releases Core CMS Updates to Patch Several Vulnerabilities
2019-04-17 21:51:00
Symfony Flaw Leaves Drupal Sites Vulnerable to Hackersβ€”Patch Now
2018-08-03 11:13:00
symfony
symfony
CVE-2018-19789: Disclosure of uploaded files full path
2018-12-06 00:00:00
CVE-2018-19790: Open Redirect Vulnerability when using Security\Http
2018-12-06 00:00:00
CVE-2019-10909: Escape validation messages in the PHP templating engine
2019-04-17 00:00:00
veracode
veracode
Open Redirect
2018-12-19 01:52:36
Information Disclosure
2018-12-19 06:03:31
Cross-site Scripting (XSS)
2019-04-18 04:55:27
prion
prion
Remote code execution
2018-12-18 22:29:00
Input validation
2019-05-16 22:29:00
Open redirect
2018-12-18 22:29:00
debiancve
debiancve
CVE-2018-19789
2018-12-18 22:29:00
CVE-2019-10909
2019-05-16 22:29:00
CVE-2018-19790
2018-12-18 22:29:00
cve
cve
CVE-2018-19789
2018-12-18 22:29:00
CVE-2019-10909
2019-05-16 22:29:00
CVE-2018-19790
2018-12-18 22:29:00
ubuntucve
ubuntucve
CVE-2018-19789
2018-12-18 00:00:00
CVE-2019-10909
2019-05-16 00:00:00
CVE-2018-19790
2018-12-18 00:00:00
github
github
Symfony Cross-site Scripting (XSS) vulnerability
2019-11-12 23:00:53
Symfony Path Disclosure
2022-05-14 01:04:20
Deserialization of untrusted data in Symfony
2020-02-12 18:44:50
typo3
typo3
Possible deserialization side-effects in symfony/cache
2019-06-25 00:00:00
redhatcve
redhatcve
CVE-2019-10911
2022-05-20 22:45:13
JSON
Related for DEBIAN_DSA-4441.NASL
debian4openvas31osv18nessus30fedora25freebsd2drupal3ibm2thn2symfony8veracode8prion8debiancve8cve8ubuntucve8github7typo31redhatcve1