CVE-2019-18889
https://notcve.org/view.php?id=CVE-2019-18889
An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. Se detectó un problema en Symfony versiones 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. La serialización de ciertas interfaces del adaptador de caché podría resultar en la inyección de código remota. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances https://symfony.com/blog/symfony-4-3-8-released • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2019-18887
https://notcve.org/view.php?id=CVE-2019-18887
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel. Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. El UriSigner estaba sujeto a ataques de sincronización. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner https://symfony.com/blog/ • CWE-203: Observable Discrepancy •
CVE-2019-18888
https://notcve.org/view.php?id=CVE-2019-18888
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). Se detectó un problema en Symfony versiones 2.8.0 hasta 2.8.50, 3.4.0 hasta 3.4.34, 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. Si una aplicación pasa una entrada de usuario no validada como el archivo para el que debe llevarse a cabo la validación de tipo MIME, entonces argumentos arbitrarios son pasados al comando de archivo subyacente. • https://github.com/symfony/symfony/releases/tag/v4.3.8 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser https://symfony.com/blog • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2019-10912
https://notcve.org/view.php?id=CVE-2019-10912
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge. En Symfony versión anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, es posible guardar en caché objetos que pueden contener información errada del usuario. En la serialización o unserialization, esto podría resultar en la eliminación de archivos a los que el usuario actual tiene acceso. • https://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5 • CWE-502: Deserialization of Untrusted Data •
CVE-2019-10913
https://notcve.org/view.php?id=CVE-2019-10913
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. En Symfony la versión anterior a 2.7.51, versión 2.8.x anterior a 2.8.50, versión 3.x anterior a 3.4.26, versión 4.x anterior a 4.1.12 y versión 4.2.x anterior a 4.2.7, los métodos HTTP se proporcionan como verbos o usando el encabezado de anulación pueden tratarse como entradas de confianza, pero no están validadas, lo que posiblemente provoque la inyección de SQL o XSS. Esto está relacionado con Symfony/http-foundation. • https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •