CVE-2019-18889: Symfony Unsafe Cache Serialization Could Enable RCE
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.84859%
CWE
Published
12/2/2019
Updated
2/1/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
symfony/cache | composer | >= 3.1.0, < 3.4.35 | 3.4.35 |
symfony/cache | composer | >= 4.0.0, < 4.2.12 | 4.2.12 |
symfony/cache | composer | >= 4.3.0, < 4.3.8 | 4.3.8 |
symfony/symfony | composer | >= 3.1.0, < 3.4.35 | 3.4.35 |
symfony/symfony | composer | >= 4.0.0, < 4.2.12 | 4.2.12 |
symfony/symfony | composer | >= 4.3.0, < 4.3.8 | 4.3.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs when unserialized cache adapter instances execute destructors that process untrusted callables. The security patches explicitly forbid serialization of these classes by adding __sleep()/__wakeup() restrictions, indicating their destructors were the entry points for unsafe operations. TagAwareAdapter is specifically called out in advisories as the primary vector, with AbstractAdapter being parent class with similar risks.