CVE-2019-18888 – symfony/http-foundation

Package

Manager: composer
Name: symfony/http-foundation
Vulnerable Version: >=2.0.0 <2.8.52 || >=3.0.0 <3.4.35 || >=4.0.0 <4.2.12 || >=4.3.0 <4.3.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.02738 pctl0.85414

Details

Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

Metadata

Created: 2019-12-02T18:08:19Z
Modified: 2021-07-28T16:28:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-xhh6-956q-4q69/GHSA-xhh6-956q-4q69.json
CWE IDs: ["CWE-20", "CWE-88"]
Alternative ID: GHSA-xhh6-956q-4q69
Finding: F184
Auto approve: 1