Candidate: CVE-2019-18888
PublicDate: 2019-11-21 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18888
 https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser
 https://github.com/symfony/symfony/commit/691486e43ce0e4893cd703e221bafc10a871f365
 https://github.com/symfony/symfony/commit/77ddabf2e785ea85860d2720cc86f7c5d8967ed5
Description:
 An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through
 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application
 passes unvalidated user input as the file for which MIME type validation
 should occur, then arbitrary arguments are passed to the underlying file
 command. This is related to symfony/http-foundation (and symfony/mime in
 4.3.x).
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]


Patches_symfony:
upstream_symfony: released (4.3.8+dfsg-1)
precise/esm_symfony: DNE
trusty_symfony: ignored (out of standard support)
trusty/esm_symfony: DNE
xenial_symfony: ignored (end of standard support, was needed)
bionic_symfony: needed
disco_symfony: ignored (reached end-of-life)
eoan_symfony: ignored (reached end-of-life)
focal_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
groovy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
hirsute_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
impish_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
jammy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
devel_symfony: not-affected (4.3.8+dfsg-1ubuntu1)