CVE-2019-11325
Published: 21 November 2019
An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
Priority
Status
Package | Release | Status |
---|---|---|
symfony Launchpad, Ubuntu, Debian |
hirsute |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
jammy |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
bionic |
Not vulnerable
(code not present)
|
|
disco |
Ignored
(end of life)
|
|
eoan |
Ignored
(end of life)
|
|
focal |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
groovy |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
impish |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.3.8+dfsg-1)
|
|
xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |