CVE-2019-11325

Published: Nov 21, 2019Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.

Affected (2)

Products: Sensiolabs: Symfony

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Sensiolabs Symfony	From 4.2.0 to 4.2.12
Sensiolabs Symfony	From 4.3.0 to 4.3.8

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (8)

https://github.com/symfony/symfony/releases/tag/v4.3.8

Source: cve@mitre.org

Release NotesThird Party Advisory

https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3

Source: cve@mitre.org

PatchThird Party Advisory

https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter

Source: cve@mitre.org

Vendor Advisory

https://symfony.com/blog/symfony-4-3-8-released

Source: cve@mitre.org

Release NotesVendor Advisory

https://github.com/symfony/symfony/releases/tag/v4.3.8

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesThird Party Advisory

https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://symfony.com/blog/symfony-4-3-8-released

Source: af854a3a-2127-422b-91ae-364da2661108

Release NotesVendor Advisory

Timeline

No history available yet.