Candidate: CVE-2019-11325
PublicDate: 2019-11-21 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11325
 https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter
 https://github.com/symfony/symfony/commit/0524868cbf3d3a36e0af804432016d5a6d98169a
Description:
 An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8.
 The VarExport component incorrectly escapes strings, allowing some
 specially crafted ones to escalate to execution of arbitrary PHP code. This
 is related to symfony/var-exporter.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_symfony:
upstream_symfony: released (4.3.8+dfsg-1)
precise/esm_symfony: DNE
trusty_symfony: ignored (out of standard support)
trusty/esm_symfony: DNE
xenial_symfony: ignored (end of standard support, was needs-triage)
bionic_symfony: not-affected (code not present)
disco_symfony: ignored (reached end-of-life)
eoan_symfony: ignored (reached end-of-life)
focal_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
groovy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
hirsute_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
impish_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
jammy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
devel_symfony: not-affected (4.3.8+dfsg-1ubuntu1)