An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.
References
Link | Resource |
---|---|
https://github.com/symfony/symfony/releases/tag/v4.3.8 | Release Notes Third Party Advisory |
https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3 | Patch Third Party Advisory |
https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter | Vendor Advisory |
https://symfony.com/blog/symfony-4-3-8-released | Release Notes Vendor Advisory |
https://github.com/symfony/symfony/releases/tag/v4.3.8 | Release Notes Third Party Advisory |
https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3 | Patch Third Party Advisory |
https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter | Vendor Advisory |
https://symfony.com/blog/symfony-4-3-8-released | Release Notes Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 04:20
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/symfony/symfony/releases/tag/v4.3.8 - Release Notes, Third Party Advisory | |
References | () https://github.com/symfony/var-exporter/compare/d8bf442...57e00f3 - Patch, Third Party Advisory | |
References | () https://symfony.com/blog/cve-2019-11325-fix-escaping-of-strings-in-varexporter - Vendor Advisory | |
References | () https://symfony.com/blog/symfony-4-3-8-released - Release Notes, Vendor Advisory |
Information
Published : 2019-11-21 23:15
Updated : 2024-11-21 04:20
NVD link : CVE-2019-11325
Mitre link : CVE-2019-11325
CVE.ORG link : CVE-2019-11325
JSON object : View
Products Affected
sensiolabs
- symfony
CWE
CWE-116
Improper Encoding or Escaping of Output