{"id": "OPENVAS:1361412562310875781", "type": "openvas", "bulletinFamily": "scanner", "title": "Fedora Update for php-symfony FEDORA-2018-b38a4dd0c7", "description": "The remote host is missing an update for the ", "published": "2019-05-07T00:00:00", "modified": "2019-05-14T00:00:00", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875781", "reporter": "Copyright (C) 2019 Greenbone Networks GmbH", "references": ["2018-b38a4dd0c7", "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBMQFVQWOYTMUNVMVBCCLQTXDF7PY633"], "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "lastseen": "2019-05-29T18:32:18", "viewCount": 47, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-19789", "CVE-2018-19790"]}, {"type": "nessus", "idList": ["FEDORA_2018-8C06B6DEFD.NASL", "DEBIAN_DLA-1707.NASL", "FEDORA_2018-B38A4DD0C7.NASL", "FEDORA_2018-84A1F77D89.NASL", "DEBIAN_DSA-4441.NASL", "FEDORA_2018-66547A8C14.NASL", "FEDORA_2018-8D3A9BDFF1.NASL", "FEDORA_2018-6EDF04D9D6.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891707", "OPENVAS:1361412562310875764", "OPENVAS:1361412562310875360", "OPENVAS:1361412562310875365", "OPENVAS:1361412562310875361", "OPENVAS:1361412562310704441", "OPENVAS:1361412562310112583", "OPENVAS:1361412562310875640"]}, {"type": "fedora", "idList": ["FEDORA:B94FC601CAD3", "FEDORA:92549601CAD3", "FEDORA:9A2646048FF2", "FEDORA:B21066048FEE", "FEDORA:843FD6048FD9", "FEDORA:F04E6601CAD3"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4441-1:4957F", "DEBIAN:DLA-1707-1:A69DA"]}], "modified": "2019-05-29T18:32:18", "rev": 2}, "score": {"value": 5.9, "vector": "NONE", "modified": "2019-05-29T18:32:18", "rev": 2}, "vulnersScore": 5.9}, "pluginID": "1361412562310875781", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875781\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:20:14 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for php-symfony FEDORA-2018-b38a4dd0c7\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b38a4dd0c7\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZBMQFVQWOYTMUNVMVBCCLQTXDF7PY633\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony'\n package(s) announced via the FEDORA-2018-b38a4dd0c7 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"PHP framework for web projects\");\n\n script_tag(name:\"affected\", value:\"'php-symfony' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php-symfony\", rpm:\"php-symfony~2.8.49~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "naslFamily": "Fedora Local Security Checks"}

{"cve": [{"lastseen": "2020-12-09T20:25:39", "description": "An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-12-18T22:29:00", "title": "CVE-2018-19790", "type": "cve", "cwe": ["CWE-601"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19790"], "modified": "2019-05-10T16:29:00", "cpe": ["cpe:/o:debian:debian_linux:8.0", "cpe:/o:fedoraproject:fedora:28"], "id": "CVE-2018-19790", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19790", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:25:39", "description": "An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-12-18T22:29:00", "title": "CVE-2018-19789", "type": "cve", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-19789"], "modified": "2019-05-10T16:29:00", "cpe": ["cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2018-19789", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-19789", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-19789", "CVE-2018-19790"], "description": "Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. ", "modified": "2018-12-17T19:12:54", "published": "2018-12-17T19:12:54", "id": "FEDORA:B94FC601CAD3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: php-symfony3-3.4.20-1.fc29", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-19789", "CVE-2018-19790"], "description": "PHP framework for web projects ", "modified": "2018-12-17T19:12:55", "published": "2018-12-17T19:12:55", "id": "FEDORA:92549601CAD3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: php-symfony-2.8.49-1.fc29", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-19789", "CVE-2018-19790"], "description": "Symfony PHP framework (version 4). NOTE: Does not require PHPUnit bridge. ", "modified": "2018-12-17T19:12:56", "published": "2018-12-17T19:12:56", "id": "FEDORA:F04E6601CAD3", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: php-symfony4-4.1.9-1.fc29", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2018-19789", "CVE-2018-19790"], "description": "PHP framework for web projects ", "modified": "2018-12-17T02:28:11", "published": "2018-12-17T02:28:11", "id": "FEDORA:9A2646048FF2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony-2.8.49-1.fc28", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2018-19789", "CVE-2018-19790"], "description": "Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. ", "modified": "2018-12-17T02:28:10", "published": "2018-12-17T02:28:10", "id": "FEDORA:843FD6048FD9", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony3-3.4.20-1.fc28", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2018-19789", "CVE-2018-19790"], "description": "Symfony PHP framework (version 4). NOTE: Does not require PHPUnit bridge. ", "modified": "2018-12-17T02:28:12", "published": "2018-12-17T02:28:12", "id": "FEDORA:B21066048FEE", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony4-4.0.15-1.fc28", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-07T10:19:08", "description": "**Version 4.1.9** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\n - bug #29436 [Cache] Fixed Memcached adapter doClear()to\n call flush() (raitocz)\n\n - bug #29441 [Routing] ignore trailing slash for non-GET\n requests (nicolas-grekas)\n\n - bug #29444 [Workflow] Fixed BC break for Workflow\n metadata (lyrixx)\n\n - bug #29432 [DI] dont inline when lazy edges are found\n (nicolas-grekas)\n\n - bug #29413 [Serializer] fixed DateTimeNormalizer to\n maintain microseconds when a different timezone required\n (rvitaliy)\n\n - bug #29424 [Routing] fix taking verb into account when\n redirecting (nicolas-grekas)\n\n - bug #29414 [DI] Fix dumping expressions accessing\n single-use private services (chalasr)\n\n - bug #29375 [Validator] Allow\n `ConstraintViolation::__toString()` to expose codes that\n are not null or emtpy strings (phansys)\n\n - bug #29376 [EventDispatcher] Fix eventListener wrapper\n loop in TraceableEventDispatcher (jderusse)\n\n - bug #29386 undeprecate the single-colon notation for\n controllers (fbourigault)\n\n - bug #29393 [DI] fix edge case in\n InlineServiceDefinitionsPass (nicolas-grekas)\n\n - bug #29380 [Routing] fix greediness of trailing slash\n (nicolas-grekas)\n\n - bug #29343 [Form] Handle all case variants of 'nan' when\n parsing a number (mwhudson, xabbuh)\n\n - bug #29373 [Routing] fix trailing slash redirection\n (nicolas-grekas)\n\n - bug #29355 [PropertyAccess] calculate cache keys for\n property setters depending on the value (xabbuh)\n\n - bug #29369 [DI] fix combinatorial explosion when\n analyzing the service graph (nicolas-grekas)\n\n - bug #29349 [Debug] workaround opcache bug mutating\n '$this' !?! (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 29 : php-symfony4 (2018-84a1f77d89)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "modified": "2019-01-03T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:php-symfony4"], "id": "FEDORA_2018-84A1F77D89.NASL", "href": "https://www.tenable.com/plugins/nessus/120580", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-84a1f77d89.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120580);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19789\", \"CVE-2018-19790\");\n script_xref(name:\"FEDORA\", value:\"2018-84a1f77d89\");\n\n script_name(english:\"Fedora 29 : php-symfony4 (2018-84a1f77d89)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Version 4.1.9** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\n - bug #29436 [Cache] Fixed Memcached adapter doClear()to\n call flush() (raitocz)\n\n - bug #29441 [Routing] ignore trailing slash for non-GET\n requests (nicolas-grekas)\n\n - bug #29444 [Workflow] Fixed BC break for Workflow\n metadata (lyrixx)\n\n - bug #29432 [DI] dont inline when lazy edges are found\n (nicolas-grekas)\n\n - bug #29413 [Serializer] fixed DateTimeNormalizer to\n maintain microseconds when a different timezone required\n (rvitaliy)\n\n - bug #29424 [Routing] fix taking verb into account when\n redirecting (nicolas-grekas)\n\n - bug #29414 [DI] Fix dumping expressions accessing\n single-use private services (chalasr)\n\n - bug #29375 [Validator] Allow\n `ConstraintViolation::__toString()` to expose codes that\n are not null or emtpy strings (phansys)\n\n - bug #29376 [EventDispatcher] Fix eventListener wrapper\n loop in TraceableEventDispatcher (jderusse)\n\n - bug #29386 undeprecate the single-colon notation for\n controllers (fbourigault)\n\n - bug #29393 [DI] fix edge case in\n InlineServiceDefinitionsPass (nicolas-grekas)\n\n - bug #29380 [Routing] fix greediness of trailing slash\n (nicolas-grekas)\n\n - bug #29343 [Form] Handle all case variants of 'nan' when\n parsing a number (mwhudson, xabbuh)\n\n - bug #29373 [Routing] fix trailing slash redirection\n (nicolas-grekas)\n\n - bug #29355 [PropertyAccess] calculate cache keys for\n property setters depending on the value (xabbuh)\n\n - bug #29369 [DI] fix combinatorial explosion when\n analyzing the service graph (nicolas-grekas)\n\n - bug #29349 [Debug] workaround opcache bug mutating\n '$this' !?! (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-84a1f77d89\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19789\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19790\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"php-symfony4-4.1.9-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony4\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T10:18:36", "description": "**Version 3.4.20** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\n - bug #29436 [Cache] Fixed Memcached adapter doClear()to\n call flush() (raitocz)\n\n - bug #29441 [Routing] ignore trailing slash for non-GET\n requests (nicolas-grekas)\n\n - bug #29432 [DI] dont inline when lazy edges are found\n (nicolas-grekas)\n\n - bug #29413 [Serializer] fixed DateTimeNormalizer to\n maintain microseconds when a different timezone required\n (rvitaliy)\n\n - bug #29424 [Routing] fix taking verb into account when\n redirecting (nicolas-grekas)\n\n - bug #29414 [DI] Fix dumping expressions accessing\n single-use private services (chalasr)\n\n - bug #29375 [Validator] Allow\n `ConstraintViolation::__toString()` to expose codes that\n are not null or emtpy strings (phansys)\n\n - bug #29376 [EventDispatcher] Fix eventListener wrapper\n loop in TraceableEventDispatcher (jderusse)\n\n - bug #29343 [Form] Handle all case variants of 'nan' when\n parsing a number (mwhudson, xabbuh)\n\n - bug #29355 [PropertyAccess] calculate cache keys for\n property setters depending on the value (xabbuh)\n\n - bug #29369 [DI] fix combinatorial explosion when\n analyzing the service graph (nicolas-grekas)\n\n - bug #29349 [Debug] workaround opcache bug mutating\n '$this' !?! (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : php-symfony3 (2018-66547a8c14)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony3", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-66547A8C14.NASL", "href": "https://www.tenable.com/plugins/nessus/120481", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-66547a8c14.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120481);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19789\", \"CVE-2018-19790\");\n script_xref(name:\"FEDORA\", value:\"2018-66547a8c14\");\n\n script_name(english:\"Fedora 28 : php-symfony3 (2018-66547a8c14)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Version 3.4.20** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\n - bug #29436 [Cache] Fixed Memcached adapter doClear()to\n call flush() (raitocz)\n\n - bug #29441 [Routing] ignore trailing slash for non-GET\n requests (nicolas-grekas)\n\n - bug #29432 [DI] dont inline when lazy edges are found\n (nicolas-grekas)\n\n - bug #29413 [Serializer] fixed DateTimeNormalizer to\n maintain microseconds when a different timezone required\n (rvitaliy)\n\n - bug #29424 [Routing] fix taking verb into account when\n redirecting (nicolas-grekas)\n\n - bug #29414 [DI] Fix dumping expressions accessing\n single-use private services (chalasr)\n\n - bug #29375 [Validator] Allow\n `ConstraintViolation::__toString()` to expose codes that\n are not null or emtpy strings (phansys)\n\n - bug #29376 [EventDispatcher] Fix eventListener wrapper\n loop in TraceableEventDispatcher (jderusse)\n\n - bug #29343 [Form] Handle all case variants of 'nan' when\n parsing a number (mwhudson, xabbuh)\n\n - bug #29355 [PropertyAccess] calculate cache keys for\n property setters depending on the value (xabbuh)\n\n - bug #29369 [DI] fix combinatorial explosion when\n analyzing the service graph (nicolas-grekas)\n\n - bug #29349 [Debug] workaround opcache bug mutating\n '$this' !?! (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-66547a8c14\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19789\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19790\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"php-symfony3-3.4.20-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony3\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T10:19:19", "description": "**Version 2.8.49** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 13, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : php-symfony (2018-8c06b6defd)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-8C06B6DEFD.NASL", "href": "https://www.tenable.com/plugins/nessus/120596", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-8c06b6defd.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120596);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19789\", \"CVE-2018-19790\");\n script_xref(name:\"FEDORA\", value:\"2018-8c06b6defd\");\n\n script_name(english:\"Fedora 28 : php-symfony (2018-8c06b6defd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Version 2.8.49** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-8c06b6defd\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19789\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19790\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"php-symfony-2.8.49-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T10:19:21", "description": "**Version 3.4.20** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\n - bug #29436 [Cache] Fixed Memcached adapter doClear()to\n call flush() (raitocz)\n\n - bug #29441 [Routing] ignore trailing slash for non-GET\n requests (nicolas-grekas)\n\n - bug #29432 [DI] dont inline when lazy edges are found\n (nicolas-grekas)\n\n - bug #29413 [Serializer] fixed DateTimeNormalizer to\n maintain microseconds when a different timezone required\n (rvitaliy)\n\n - bug #29424 [Routing] fix taking verb into account when\n redirecting (nicolas-grekas)\n\n - bug #29414 [DI] Fix dumping expressions accessing\n single-use private services (chalasr)\n\n - bug #29375 [Validator] Allow\n `ConstraintViolation::__toString()` to expose codes that\n are not null or emtpy strings (phansys)\n\n - bug #29376 [EventDispatcher] Fix eventListener wrapper\n loop in TraceableEventDispatcher (jderusse)\n\n - bug #29343 [Form] Handle all case variants of 'nan' when\n parsing a number (mwhudson, xabbuh)\n\n - bug #29355 [PropertyAccess] calculate cache keys for\n property setters depending on the value (xabbuh)\n\n - bug #29369 [DI] fix combinatorial explosion when\n analyzing the service graph (nicolas-grekas)\n\n - bug #29349 [Debug] workaround opcache bug mutating\n '$this' !?! (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 29 : php-symfony3 (2018-8d3a9bdff1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "modified": "2019-01-03T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:php-symfony3"], "id": "FEDORA_2018-8D3A9BDFF1.NASL", "href": "https://www.tenable.com/plugins/nessus/120600", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-8d3a9bdff1.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120600);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19789\", \"CVE-2018-19790\");\n script_xref(name:\"FEDORA\", value:\"2018-8d3a9bdff1\");\n\n script_name(english:\"Fedora 29 : php-symfony3 (2018-8d3a9bdff1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Version 3.4.20** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\n - bug #29436 [Cache] Fixed Memcached adapter doClear()to\n call flush() (raitocz)\n\n - bug #29441 [Routing] ignore trailing slash for non-GET\n requests (nicolas-grekas)\n\n - bug #29432 [DI] dont inline when lazy edges are found\n (nicolas-grekas)\n\n - bug #29413 [Serializer] fixed DateTimeNormalizer to\n maintain microseconds when a different timezone required\n (rvitaliy)\n\n - bug #29424 [Routing] fix taking verb into account when\n redirecting (nicolas-grekas)\n\n - bug #29414 [DI] Fix dumping expressions accessing\n single-use private services (chalasr)\n\n - bug #29375 [Validator] Allow\n `ConstraintViolation::__toString()` to expose codes that\n are not null or emtpy strings (phansys)\n\n - bug #29376 [EventDispatcher] Fix eventListener wrapper\n loop in TraceableEventDispatcher (jderusse)\n\n - bug #29343 [Form] Handle all case variants of 'nan' when\n parsing a number (mwhudson, xabbuh)\n\n - bug #29355 [PropertyAccess] calculate cache keys for\n property setters depending on the value (xabbuh)\n\n - bug #29369 [DI] fix combinatorial explosion when\n analyzing the service graph (nicolas-grekas)\n\n - bug #29349 [Debug] workaround opcache bug mutating\n '$this' !?! (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d3a9bdff1\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19789\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19790\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"php-symfony3-3.4.20-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony3\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T10:18:45", "description": "**Version 4.0.15** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 13, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 28 : php-symfony4 (2018-6edf04d9d6)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony4", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-6EDF04D9D6.NASL", "href": "https://www.tenable.com/plugins/nessus/120515", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-6edf04d9d6.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120515);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19789\", \"CVE-2018-19790\");\n script_xref(name:\"FEDORA\", value:\"2018-6edf04d9d6\");\n\n script_name(english:\"Fedora 28 : php-symfony4 (2018-6edf04d9d6)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Version 4.0.15** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-6edf04d9d6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19789\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19790\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"php-symfony4-4.0.15-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony4\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-07T10:20:47", "description": "**Version 2.8.49** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 13, "cvss3": {"score": 6.1, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}, "published": "2019-01-03T00:00:00", "title": "Fedora 29 : php-symfony (2018-b38a4dd0c7)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "modified": "2019-01-03T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony", "cpe:/o:fedoraproject:fedora:29"], "id": "FEDORA_2018-B38A4DD0C7.NASL", "href": "https://www.tenable.com/plugins/nessus/120720", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-b38a4dd0c7.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120720);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-19789\", \"CVE-2018-19790\");\n script_xref(name:\"FEDORA\", value:\"2018-b38a4dd0c7\");\n\n script_name(english:\"Fedora 29 : php-symfony (2018-b38a4dd0c7)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"**Version 2.8.49** (2018-12-06)\n\n - security\n [CVE-2018-19790](https://symfony.com/cve-2018-19790)\n [Security\\Http] detect bad redirect targets using\n backslashes (@xabbuh)\n\n - security\n [CVE-2018-19789](https://symfony.com/cve-2018-19789)\n [Form] Filter file uploads out of regular form types\n (@nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-b38a4dd0c7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19789\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://symfony.com/cve-2018-19790\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/12/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"php-symfony-2.8.49-1.fc29\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-12T09:40:26", "description": "Several security vulnerabilities have been discovered in symfony, a\nPHP web application framework. Numerous symfony components are\naffected: Security, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe corresponding upstream advisories contain further details :\n\n[CVE-2017-16652]\nhttps://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2017-16654]\nhttps://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-o\nut-of-paths\n\n[CVE-2018-11385]\nhttps://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-gua\nrd-authentication\n\n[CVE-2018-11408]\nhttps://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2018-14773]\nhttps://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-\nrisky-http-headers\n\n[CVE-2018-19789]\nhttps://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-f\null-path\n\n[CVE-2018-19790]\nhttps://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-wh\nen-using-security-http\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 16, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-11T00:00:00", "title": "Debian DLA-1707-1 : symfony security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16652", "CVE-2018-19790", "CVE-2018-14773", "CVE-2018-11385", "CVE-2017-16654", "CVE-2018-19789", "CVE-2018-11408"], "modified": "2019-03-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:php-symfony-validator", "p-cpe:/a:debian:debian_linux:php-symfony-propel1-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-property-access", "p-cpe:/a:debian:debian_linux:php-symfony-twig-bundle", "p-cpe:/a:debian:debian_linux:php-symfony-finder", "p-cpe:/a:debian:debian_linux:php-symfony-filesystem", "p-cpe:/a:debian:debian_linux:php-symfony-security", "p-cpe:/a:debian:debian_linux:php-symfony-swiftmailer-bridge", "cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:php-symfony-monolog-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-proxy-manager-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-templating", "p-cpe:/a:debian:debian_linux:php-symfony-serializer", "p-cpe:/a:debian:debian_linux:php-symfony-doctrine-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-class-loader", "p-cpe:/a:debian:debian_linux:php-symfony-event-dispatcher", "p-cpe:/a:debian:debian_linux:php-symfony-css-selector", "p-cpe:/a:debian:debian_linux:php-symfony-form", "p-cpe:/a:debian:debian_linux:php-symfony-web-profiler-bundle", "p-cpe:/a:debian:debian_linux:php-symfony-dependency-injection", "p-cpe:/a:debian:debian_linux:php-symfony-console", "p-cpe:/a:debian:debian_linux:php-symfony-eventdispatcher", "p-cpe:/a:debian:debian_linux:php-symfony-yaml", "p-cpe:/a:debian:debian_linux:php-symfony-config", "p-cpe:/a:debian:debian_linux:php-symfony-http-foundation", "p-cpe:/a:debian:debian_linux:php-symfony-options-resolver", "p-cpe:/a:debian:debian_linux:php-symfony-process", "p-cpe:/a:debian:debian_linux:php-symfony-http-kernel", "p-cpe:/a:debian:debian_linux:php-symfony-classloader", "p-cpe:/a:debian:debian_linux:php-symfony-dom-crawler", "p-cpe:/a:debian:debian_linux:php-symfony-stopwatch", "p-cpe:/a:debian:debian_linux:php-symfony-browser-kit", "p-cpe:/a:debian:debian_linux:php-symfony-twig-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-translation", "p-cpe:/a:debian:debian_linux:php-symfony-security-bundle", "p-cpe:/a:debian:debian_linux:php-symfony-locale", "p-cpe:/a:debian:debian_linux:php-symfony-routing", "p-cpe:/a:debian:debian_linux:php-symfony-debug", "p-cpe:/a:debian:debian_linux:php-symfony-intl", "p-cpe:/a:debian:debian_linux:php-symfony-framework-bundle"], "id": "DEBIAN_DLA-1707.NASL", "href": "https://www.tenable.com/plugins/nessus/122721", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1707-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122721);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-16652\", \"CVE-2017-16654\", \"CVE-2018-11385\", \"CVE-2018-11408\", \"CVE-2018-14773\", \"CVE-2018-19789\", \"CVE-2018-19790\");\n\n script_name(english:\"Debian DLA-1707-1 : symfony security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security vulnerabilities have been discovered in symfony, a\nPHP web application framework. Numerous symfony components are\naffected: Security, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe corresponding upstream advisories contain further details :\n\n[CVE-2017-16652]\nhttps://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2017-16654]\nhttps://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-o\nut-of-paths\n\n[CVE-2018-11385]\nhttps://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-gua\nrd-authentication\n\n[CVE-2018-11408]\nhttps://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2018-14773]\nhttps://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-\nrisky-http-headers\n\n[CVE-2018-19789]\nhttps://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-f\null-path\n\n[CVE-2018-19790]\nhttps://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-wh\nen-using-security-http\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/symfony\"\n );\n # https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0f99409b\"\n );\n # https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c7dce206\"\n );\n # https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5a195ddf\"\n );\n # https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?39450434\"\n );\n # https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?391e80f4\"\n );\n # https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df081f61\"\n );\n # https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a01aecd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-browser-kit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-class-loader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-classloader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-css-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-dependency-injection\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-doctrine-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-dom-crawler\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-event-dispatcher\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-eventdispatcher\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-finder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-form\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-framework-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-http-foundation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-http-kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-monolog-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-options-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-propel1-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-property-access\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-proxy-manager-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-routing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-security-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-serializer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-stopwatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-swiftmailer-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-templating\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-translation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-twig-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-twig-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-web-profiler-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-yaml\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-browser-kit\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-class-loader\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-classloader\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-config\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-console\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-css-selector\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-debug\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-dependency-injection\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-doctrine-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-dom-crawler\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-event-dispatcher\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-eventdispatcher\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-filesystem\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-finder\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-form\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-framework-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-http-foundation\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-http-kernel\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-intl\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-locale\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-monolog-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-options-resolver\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-process\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-propel1-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-property-access\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-proxy-manager-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-routing\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-security\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-security-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-serializer\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-stopwatch\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-swiftmailer-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-templating\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-translation\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-twig-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-twig-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-validator\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-web-profiler-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-yaml\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-01T01:50:28", "description": "Multiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.", "edition": 17, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-13T00:00:00", "title": "Debian DSA-4441-1 : symfony - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10911", "CVE-2018-19790", "CVE-2019-10913", "CVE-2018-14773", "CVE-2019-10910", "CVE-2018-19789", "CVE-2019-10909", "CVE-2019-10912"], "modified": "2021-01-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:symfony", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4441.NASL", "href": "https://www.tenable.com/plugins/nessus/124779", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4441. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124779);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/21\");\n\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-19789\", \"CVE-2018-19790\", \"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-10912\", \"CVE-2019-10913\");\n script_xref(name:\"DSA\", value:\"4441\");\n\n script_name(english:\"Debian DSA-4441-1 : symfony - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/symfony\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/symfony\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4441\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the symfony packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2.8.7+dfsg-1.3+deb9u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:symfony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-asset\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-browser-kit\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-class-loader\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-config\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-console\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-css-selector\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-debug\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-debug-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-dependency-injection\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-doctrine-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-dom-crawler\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-event-dispatcher\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-expression-language\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-filesystem\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-finder\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-form\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-framework-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-http-foundation\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-http-kernel\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-intl\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-ldap\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-locale\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-monolog-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-options-resolver\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-phpunit-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-process\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-property-access\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-property-info\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-proxy-manager-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-routing\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-core\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-csrf\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-guard\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-http\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-serializer\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-stopwatch\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-swiftmailer-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-templating\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-translation\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-twig-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-twig-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-validator\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-var-dumper\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-web-profiler-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-yaml\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:13", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875764", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875764", "type": "openvas", "title": "Fedora Update for php-symfony3 FEDORA-2018-8d3a9bdff1", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875764\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:19:42 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for php-symfony3 FEDORA-2018-8d3a9bdff1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2018-8d3a9bdff1\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V7S6GT6OX2VPYOKQADCPM7PRDCS5KMD5\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony3'\n package(s) announced via the FEDORA-2018-8d3a9bdff1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Symfony PHP framework (version 3).\n\nNOTE: Does not require PHPUnit bridge.\");\n\n script_tag(name:\"affected\", value:\"'php-symfony3' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php-symfony3\", rpm:\"php-symfony3~3.4.20~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875640", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875640", "type": "openvas", "title": "Fedora Update for php-symfony4 FEDORA-2018-84a1f77d89", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875640\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:13:53 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for php-symfony4 FEDORA-2018-84a1f77d89\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2018-84a1f77d89\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WTOF6UNEUGLEQ6QJCP3VVUBWO4H2G673\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony4'\n package(s) announced via the FEDORA-2018-84a1f77d89 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Symfony PHP framework (version 4).\n\nNOTE: Does not require PHPUnit bridge.\");\n\n script_tag(name:\"affected\", value:\"'php-symfony4' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php-symfony4\", rpm:\"php-symfony4~4.1.9~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-06-10T12:42:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-19789"], "description": "This host runs Symfony and is prone to multiple vulnerabilities.", "modified": "2019-06-07T00:00:00", "published": "2019-05-20T00:00:00", "id": "OPENVAS:1361412562310112583", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112583", "type": "openvas", "title": "Symfony 2.7.x < 2.7.50, 2.8.x < 2.8.49, 3.x < 3.4.20, 4.0.x < 4.0.15, 4.x < 4.1.9, 4.2.x < 4.2.1 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112583\");\n script_version(\"2019-06-07T08:16:45+0000\");\n script_tag(name:\"last_modification\", value:\"2019-06-07 08:16:45 +0000 (Fri, 07 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-20 11:50:54 +0200 (Mon, 20 May 2019)\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-19789\", \"CVE-2018-19790\");\n script_bugtraq_id(106249);\n\n script_name(\"Symfony 2.7.x < 2.7.50, 2.8.x < 2.8.49, 3.x < 3.4.20, 4.0.x < 4.0.15, 4.x < 4.1.9, 4.2.x < 4.2.1 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_symfony_consolidation.nasl\");\n script_mandatory_keys(\"symfony/detected\");\n\n script_tag(name:\"summary\", value:\"This host runs Symfony and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - When using the scalar type hint string in a setter method (e.g. setName(string $name)) of a class\n that's the data_class of a form, and when a file upload is submitted to the corresponding field\n instead of a normal text input, then UploadedFile::__toString() is called which will then return\n and disclose the path of the uploaded file. If combined with a local file inclusion issue in\n certain circumstances this could escalate it to a Remote Code Execution. (CVE-2018-19789)\n\n - Using backslashes in the _failure_path input field of login forms, one can work around the\n redirection target restrictions and effectively redirect the user to any domain after login. (CVE-2018-19790)\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an attacker to disclose\n the full path of an uploaded file, execute arbitrary code or redirect a user to any domain after login.\");\n\n script_tag(name:\"affected\", value:\"Symfony versions 2.7.0 to 2.7.49, 2.8.0 to 2.8.48, 3.0.0 to 3.4.19, 4.0.0 to 4.0.14, 4.1.0 to 4.1.8 and 4.2.0.\");\n\n script_tag(name:\"solution\", value:\"The issue has been fixed in Symfony 2.7.50, 2.8.49, 3.4.20, 4.0.15, 4.1.9 and 4.2.1.\n\n NOTE: No fixes are provided for Symfony 3.0, 3.1, 3.2 and 3.3 as they are not maintained anymore.\n It is recommended to upgrade to a supported version as soon as possible.\");\n\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:sensiolabs:symfony\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE) ) exit( 0 );\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_in_range( version: version, test_version: \"2.7.0\", test_version2: \"2.7.49\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.8.50\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"2.8.0\", test_version2: \"2.8.48\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.8.49\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.0.0\", test_version2: \"3.4.19\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.4.20\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"4.0.0\", test_version2: \"4.0.14\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"4.0.15\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"4.1.0\", test_version2: \"4.1.8\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"4.1.9\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_is_equal( version: version, test_version: \"4.2.0\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"4.2.1\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-14774", "CVE-2018-14773", "CVE-2018-19789"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-12-18T00:00:00", "id": "OPENVAS:1361412562310875360", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875360", "type": "openvas", "title": "Fedora Update for php-symfony3 FEDORA-2018-66547a8c14", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id$\n#\n# Fedora Update for php-symfony3 FEDORA-2018-66547a8c14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875360\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\", \"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 08:05:36 +0100 (Tue, 18 Dec 2018)\");\n script_name(\"Fedora Update for php-symfony3 FEDORA-2018-66547a8c14\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-66547a8c14\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony3'\n package(s) announced via the FEDORA-2018-66547a8c14 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"php-symfony3 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony3\", rpm:\"php-symfony3~3.4.20~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-14774", "CVE-2018-14773", "CVE-2018-19789"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-12-18T00:00:00", "id": "OPENVAS:1361412562310875365", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875365", "type": "openvas", "title": "Fedora Update for php-symfony4 FEDORA-2018-6edf04d9d6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id$\n#\n# Fedora Update for php-symfony4 FEDORA-2018-6edf04d9d6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875365\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\", \"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 08:06:11 +0100 (Tue, 18 Dec 2018)\");\n script_name(\"Fedora Update for php-symfony4 FEDORA-2018-6edf04d9d6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-6edf04d9d6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony4'\n package(s) announced via the FEDORA-2018-6edf04d9d6 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"php-symfony4 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony4\", rpm:\"php-symfony4~4.0.15~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-19790", "CVE-2018-14774", "CVE-2018-14773", "CVE-2018-19789"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-12-18T00:00:00", "id": "OPENVAS:1361412562310875361", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875361", "type": "openvas", "title": "Fedora Update for php-symfony FEDORA-2018-8c06b6defd", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id$\n#\n# Fedora Update for php-symfony FEDORA-2018-8c06b6defd\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875361\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\", \"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 08:05:47 +0100 (Tue, 18 Dec 2018)\");\n script_name(\"Fedora Update for php-symfony FEDORA-2018-8c06b6defd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-8c06b6defd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony'\n package(s) announced via the FEDORA-2018-8c06b6defd advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"php-symfony on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony\", rpm:\"php-symfony~2.8.49~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-01-29T19:27:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2017-16652", "CVE-2018-19790", "CVE-2018-14773", "CVE-2018-11385", "CVE-2017-16654", "CVE-2018-19789", "CVE-2018-11408"], "description": "Several security vulnerabilities have been discovered in symfony, a PHP\nweb application framework. Numerous symfony components are affected:\nSecurity, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe referenced upstream advisories contain further details.", "modified": "2020-01-29T00:00:00", "published": "2019-03-11T00:00:00", "id": "OPENVAS:1361412562310891707", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891707", "type": "openvas", "title": "Debian LTS: Security Advisory for symfony (DLA-1707-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891707\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-16652\", \"CVE-2017-16654\", \"CVE-2018-11385\", \"CVE-2018-11408\", \"CVE-2018-14773\",\n \"CVE-2018-19789\", \"CVE-2018-19790\");\n script_name(\"Debian LTS: Security Advisory for symfony (DLA-1707-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-03-11 00:00:00 +0100 (Mon, 11 Mar 2019)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"symfony on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\");\n\n script_tag(name:\"summary\", value:\"Several security vulnerabilities have been discovered in symfony, a PHP\nweb application framework. Numerous symfony components are affected:\nSecurity, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe referenced upstream advisories contain further details.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-browser-kit\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-class-loader\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-classloader\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-config\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-console\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-css-selector\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-debug\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dependency-injection\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-doctrine-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dom-crawler\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-event-dispatcher\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-eventdispatcher\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-filesystem\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-finder\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-form\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-framework-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-foundation\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-kernel\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-intl\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-locale\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-monolog-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-options-resolver\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-process\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-propel1-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-property-access\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-proxy-manager-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-routing\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-serializer\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-stopwatch\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-swiftmailer-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-templating\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-translation\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-validator\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-web-profiler-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-yaml\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-10911", "CVE-2018-19790", "CVE-2019-10913", "CVE-2018-14773", "CVE-2019-10910", "CVE-2018-19789", "CVE-2019-10909", "CVE-2019-10912"], "description": "The remote host is missing an update for the ", "modified": "2019-05-27T00:00:00", "published": "2019-05-11T00:00:00", "id": "OPENVAS:1361412562310704441", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704441", "type": "openvas", "title": "Debian Security Advisory DSA 4441-1 (symfony - security update)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704441\");\n script_version(\"2019-05-27T07:36:21+0000\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-19789\", \"CVE-2018-19790\", \"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-10912\", \"CVE-2019-10913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-27 07:36:21 +0000 (Mon, 27 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-11 02:00:17 +0000 (Sat, 11 May 2019)\");\n script_name(\"Debian Security Advisory DSA 4441-1 (symfony - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4441.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4441-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'symfony'\n package(s) announced via the DSA-4441-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\");\n\n script_tag(name:\"affected\", value:\"'symfony' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 2.8.7+dfsg-1.3+deb9u2.\n\nWe recommend that you upgrade your symfony packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-asset\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-browser-kit\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-class-loader\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-config\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-console\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-css-selector\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-debug\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-debug-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dependency-injection\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-doctrine-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dom-crawler\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-event-dispatcher\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-expression-language\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-filesystem\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-finder\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-form\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-framework-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-foundation\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-kernel\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-intl\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-ldap\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-locale\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-monolog-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-options-resolver\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-phpunit-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-process\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-property-access\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-property-info\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-proxy-manager-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-routing\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-core\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-csrf\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-guard\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-http\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-serializer\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-stopwatch\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-swiftmailer-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-templating\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-translation\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-validator\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-var-dumper\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-web-profiler-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-yaml\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-08-12T00:47:19", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16652", "CVE-2018-19790", "CVE-2018-14773", "CVE-2018-11385", "CVE-2017-16654", "CVE-2018-19789", "CVE-2018-11408"], "description": "Package : symfony\nVersion : 2.3.21+dfsg-4+deb8u4\nCVE ID : CVE-2017-16652 CVE-2017-16654 CVE-2018-11385 CVE-2018-11408 \n CVE-2018-14773 CVE-2018-19789 CVE-2018-19790\n\n\nSeveral security vulnerabilities have been discovered in symfony, a PHP\nweb application framework. Numerous symfony components are affected:\nSecurity, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe corresponding upstream advisories contain further details:\n\n[CVE-2017-16652]\nhttps://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers\n\n[CVE-2017-16654]\nhttps://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths\n\n[CVE-2018-11385]\nhttps://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication\n\n[CVE-2018-11408]\nhttps://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers\n\n[CVE-2018-14773]\nhttps://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\n\n[CVE-2018-19789]\nhttps://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path\n\n[CVE-2018-19790]\nhttps://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 6, "modified": "2019-03-10T01:19:42", "published": "2019-03-10T01:19:42", "id": "DEBIAN:DLA-1707-1:A69DA", "href": "https://lists.debian.org/debian-lts-announce/2019/debian-lts-announce-201903/msg00009.html", "title": "[SECURITY] [DLA 1707-1] symfony security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T01:00:47", "bulletinFamily": "unix", "cvelist": ["CVE-2019-10911", "CVE-2018-19790", "CVE-2019-10913", "CVE-2018-14773", "CVE-2019-10910", "CVE-2018-19789", "CVE-2019-10909", "CVE-2019-10912"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4441-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nMay 10, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : symfony\nCVE ID : CVE-2018-14773 CVE-2018-19789 CVE-2018-19790 CVE-2019-10909 \n CVE-2019-10910 CVE-2019-10911 CVE-2019-10912 CVE-2019-10913\n\nMultiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.8.7+dfsg-1.3+deb9u2.\n\nWe recommend that you upgrade your symfony packages.\n\nFor the detailed security status of symfony please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/symfony\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 9, "modified": "2019-05-10T06:26:37", "published": "2019-05-10T06:26:37", "id": "DEBIAN:DSA-4441-1:4957F", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2019/msg00085.html", "title": "[SECURITY] [DSA 4441-1] symfony security update", "type": "debian", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}