Miggo Logo

CVE-2019-18889: Symfony Unsafe Cache Serialization Could Enable RCE

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.84859%
Published
12/2/2019
Updated
2/1/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
symfony/cachecomposer>= 3.1.0, < 3.4.353.4.35
symfony/cachecomposer>= 4.0.0, < 4.2.124.2.12
symfony/cachecomposer>= 4.3.0, < 4.3.84.3.8
symfony/symfonycomposer>= 3.1.0, < 3.4.353.4.35
symfony/symfonycomposer>= 4.0.0, < 4.2.124.2.12
symfony/symfonycomposer>= 4.3.0, < 4.3.84.3.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs when unserialized cache adapter instances execute destructors that process untrusted callables. The security patches explicitly forbid serialization of these classes by adding __sleep()/__wakeup() restrictions, indicating their destructors were the entry points for unsafe operations. TagAwareAdapter is specifically called out in advisories as the primary vector, with AbstractAdapter being parent class with similar risks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in Sym*ony *.*.* t*rou** *.*.**, *.*.* t*rou** *.*.**, *n* *.*.* t*rou** *.*.*. S*ri*lizin* **rt*in ***** ***pt*r int*r****s *oul* r*sult in r*mot* *o** inj**tion. T*is is r*l*t** to sym*ony/*****.

Reasoning

T** vuln*r**ility o**urs w**n uns*ri*liz** ***** ***pt*r inst*n**s *x**ut* **stru*tors t**t pro**ss untrust** **ll**l*s. T** s**urity p*t***s *xpli*itly *or*i* s*ri*liz*tion o* t**s* *l*ss*s *y ***in* __sl**p()/__w*k*up() r*stri*tions, in*i**tin* t**