VIR Vulnerability Intelligence Relay

CVE-2019-18889

unknown
Published 2019-12-02 · Modified 2024-02-20
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
VIR risk

Description

An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-18889

OS impact
OSVersionStatusFixed in
debian debianbookwormfixed4.3.8+dfsg-1
debian debianbullseyefixed4.3.8+dfsg-1
debian debianforkyfixed4.3.8+dfsg-1
debian debiansidfixed4.3.8+dfsg-1
debian debiantrixiefixed4.3.8+dfsg-1

Package impact
EcosystemPackageVulnerableFixed
php Packagistsymfony/cache>=3.1.0,<3.4.353.4.35
php Packagistsymfony/cache>=4.0.0,<4.2.124.2.12
php Packagistsymfony/cache>=4.3.0,<4.3.84.3.8
php Packagistsymfony/symfony>=3.1.0,<3.4.353.4.35
php Packagistsymfony/symfony>=4.0.0,<4.2.124.2.12
php Packagistsymfony/symfony>=4.3.0,<4.3.84.3.8

References

Verify integrity in audit chain (admin only). AS-IS.