CVE-2019-18888
Argument injection in a MimeTypeGuesser in Symfony
7.5
HIGH
CVSS 3.1
EPSS 2.3%
Description
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
How to fix CVE-2019-18888
To remediate CVE-2019-18888, upgrade the affected package to a fixed version below.
- —upgrade to 4.3.8+dfsg-1 or later
- —upgrade to 2.8.52 or later
- —upgrade to 4.3.8 or later
- —upgrade to 2.8.52 or later
Is CVE-2019-18888 being exploited?
Low — EPSS is 2.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 4.3.8+dfsg-1
- >= 2.0.0, < 2.8.52
- >= 4.3.0, < 4.3.8
- >= 2.0.0, < 2.8.52
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |