CVE-2019-10912
N/A
N/A
Summary
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU/
- https://www.debian.org/security/2019/dsa-4441
- https://seclists.org/bugtraq/2019/May/21
- https://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b
- https://typo3.org/security/advisory/typo3-core-sa-2019-016/
References
- https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RTJGZJLPG5FHKFH7KNAKNTWOGBB6LXAL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZLOZX5BZMQKWG7PJRQL6MB5CAMKBQAWD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDSM576XIOVXVCMHNJHLBBZBTOD62LDA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/42UEKSLKJB72P24JBWVN6AADHLMYSUQD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QEAOZXVNDA63537A2OIH4QE77EKZR5O/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHHIG4GMSGEIDT3RITSW7GJ5NT6IBHXU/
- https://www.debian.org/security/2019/dsa-4441
- https://seclists.org/bugtraq/2019/May/21
- https://github.com/symfony/symfony/commit/4fb975281634b8d49ebf013af9e502e67c28816b
- https://typo3.org/security/advisory/typo3-core-sa-2019-016/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.