CVE-2019-10912
Deserialization of untrusted data in Symfony
7.1
HIGH
CVSS 3.1
EPSS 1.1%
Description
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
How to fix CVE-2019-10912
To remediate CVE-2019-10912, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.22+dfsg-2 or later
- —upgrade to 3.4.26 or later
- —upgrade to 2.8.50 or later
- —upgrade to 2.8.50 or later
- —upgrade to 9.5.8 or later
- —upgrade to 9.5.8 or later
Is CVE-2019-10912 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 3.4.22+dfsg-2
- >= 3.1.0, < 3.4.26
- >= 2.8.0, < 2.8.50
- >= 2.8.0, < 2.8.50
- >= 9.0.0, < 9.5.8
- >= 9.0.0, < 9.5.8
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N |