Candidate: CVE-2019-18889
PublicDate: 2019-11-21 23:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18889
 https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances
 https://github.com/symfony/symfony/commit/8817d28fcaacb31fe01d267f6e19b44d8179395a
Description:
 An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through
 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter
 interfaces could result in remote code injection. This is related to
 symfony/cache.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_symfony:
upstream_symfony: released (4.3.8+dfsg-1)
precise/esm_symfony: DNE
trusty_symfony: ignored (out of standard support)
trusty/esm_symfony: DNE
xenial_symfony: ignored (end of standard support, was needed)
bionic_symfony: needed
disco_symfony: ignored (reached end-of-life)
eoan_symfony: ignored (reached end-of-life)
focal_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
groovy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
hirsute_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
impish_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
jammy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
devel_symfony: not-affected (4.3.8+dfsg-1ubuntu1)