CVE-2018-19789
Symfony Path Disclosure
Description
An issue was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9, and 4.2.x before 4.2.1. When using the scalar type hint `string` in a setter method (e.g. `setName(string $name)`) of a class that's the `data_class` of a form, and when a file upload is submitted to the corresponding field instead of a normal text input, then `UploadedFile::__toString()` is called which will then return and disclose the path of the uploaded file. If combined with a local file inclusion issue in certain circumstances this could escalate it to a Remote Code Execution.
How to fix CVE-2018-19789
To remediate CVE-2018-19789, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.20+dfsg-1 or later
- —upgrade to 2.7.50 or later
- —upgrade to 2.7.50 or later
Is CVE-2018-19789 being exploited?
Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.4.20+dfsg-1
- >= 2.7.0, < 2.7.50
- >= 2.7.0, < 2.7.50
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |