Lucene search

GoogleOSV:GHSA-XHH6-956Q-4Q69

HistoryDec 02, 2019 - 6:08 p.m.

Argument injection in a MimeTypeGuesser in Symfony

2019-12-0218:08:19

Google

osv.dev

0.004 Low

EPSS

Percentile

72.4%

JSON

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

CPENameOperatorVersion
symfony/symfonyeq2.4.10
symfony/http-foundationeq4.2.7
symfony/symfonyeq2.3.0
symfony/symfonyeq2.7.12
symfony/symfonyeq3.1.4
symfony/http-foundationeq4.1.11
symfony/symfonyeq2.1.8
symfony/http-foundationeq2.1.0
symfony/http-foundationeq2.8.18
symfony/symfonyeq2.3.33

Name	Operator	Version
symfony/symfony	eq	2.4.10
symfony/http-foundation	eq	4.2.7
symfony/symfony	eq	2.3.0
symfony/symfony	eq	2.7.12
symfony/symfony	eq	3.1.4
symfony/http-foundation	eq	4.1.11
symfony/symfony	eq	2.1.8
symfony/http-foundation	eq	2.1.0
symfony/http-foundation	eq	2.8.18
symfony/symfony	eq	2.3.33

Rows per page:

1-10 of 8241

References

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2019-18888.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/mime/CVE-2019-18888.yaml

github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18888.yaml

github.com/symfony/symfony/releases/tag/v4.3.8

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ

lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX

lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA

lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ

nvd.nist.gov/vuln/detail/CVE-2019-18888

symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser

symfony.com/blog/symfony-4-3-8-released

symfony.com/cve-2019-18888

0.004 Low

EPSS

Percentile

72.4%

JSON

Related for OSV:GHSA-XHH6-956Q-4Q69