CVE-2019-11325
Summary
| CVE | CVE-2019-11325 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2019-11-21 23:15:00 UTC |
| Updated | 2020-08-24 17:37:00 UTC |
| Description | An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. |
Risk And Classification
Problem Types: CWE-116
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Sensiolabs | Symfony | All | All | All | All |
| Application | Sensiolabs | Symfony | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Comparing d8bf442...57e00f3 · symfony/var-exporter · GitHub | MISC | github.com | Patch, Third Party Advisory |
| Release v4.3.8 · symfony/symfony · GitHub | CONFIRM | github.com | Release Notes, Third Party Advisory |
| Symfony 4.3.8 released (Symfony Blog) | CONFIRM | symfony.com | Release Notes, Vendor Advisory |
| CVE-2019-11325: Fix escaping of strings in VarExporter (Symfony Blog) | CONFIRM | symfony.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.