Fluid Attacks Database

Description

Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	symfony	>=0 <4.3.8+dfsg-1	4.3.8+dfsg-1
packagist	symfony/symfony	>=2.0.0 <2.8.52 \|\| >=3.0.0 <3.4.35 \|\| >=4.0.0 <4.2.12 \|\| >=4.3.0 <4.3.8	2.8.52, 3.4.35, 4.2.12, 4.3.8
packagist	symfony/http-foundation	>=2.0.0 <2.8.52 \|\| >=3.0.0 <3.4.35 \|\| >=4.0.0 <4.2.12 \|\| >=4.3.0 <4.3.8	2.8.52, 3.4.35, 4.2.12, 4.3.8
debian 11	symfony	>=0 <4.3.8+dfsg-1	4.3.8+dfsg-1
debian 12	symfony	>=0 <4.3.8+dfsg-1	4.3.8+dfsg-1
packagist	symfony/mime	>=4.3.0 <4.3.8	4.3.8
debian 14	symfony	>=0 <4.3.8+dfsg-1	4.3.8+dfsg-1

Aliases

1. CVE-2019-188882. NVD-2019-188883. OSV-DEBIAN-2019-188884. OSV-2019-188885. GCVE-2019-188886. SECURITY-TRACKER-CVE-2019-18888

References

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.