{"id":"CVE-2019-18889","details":"An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.","aliases":["GHSA-79gr-58r3-pwm3"],"modified":"2026-04-10T04:16:40.823702Z","published":"2019-11-21T23:15:13.607Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/"},{"type":"ADVISORY","url":"https://github.com/symfony/symfony/releases/tag/v4.3.8"},{"type":"ADVISORY","url":"https://symfony.com/blog/cve-2019-18889-forbid-serializing-abstractadapter-and-tagawareadapter-instances"},{"type":"ADVISORY","url":"https://symfony.com/blog/symfony-4-3-8-released"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"0a47db379b8cc74cdd84e1e6870fafc4a4ac8351"},{"last_affected":"c461582064eabe9b93b225be589dd6740620ce0f"},{"introduced":"7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483"},{"last_affected":"2ba6f17744ee8649ac107039f64d1ee4c959bf32"},{"introduced":"0bf8d128ef3c492436ab5f1b7c7b130f9e96aad2"},{"last_affected":"fb4065ac95f08ca26ee605936e537ba2cd4a6bb7"},{"fixed":"87fb08703e62882a7a6fdb17672070e0ee12dd65"}],"database_specific":{"versions":[{"introduced":"3.4.0"},{"last_affected":"3.4.34"},{"introduced":"4.2.0"},{"last_affected":"4.2.11"},{"introduced":"4.3.0"},{"last_affected":"4.3.7"}]}}],"versions":["v3.4.0","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v3.4.18","v3.4.19","v3.4.2","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.3","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v3.4.34","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v4.2.0","v4.2.1","v4.2.10","v4.2.11","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9","v4.3.0","v4.3.1","v4.3.2","v4.3.3","v4.3.4","v4.3.5","v4.3.6","v4.3.7"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"31"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18889.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}