ASA-2019-00225 – Symfony: Prevent destructors with side-effects from being unserialized

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00225

Identifier(s)

ASA-2019-00225, CVE-2019-10912

Title

Prevent destructors with side-effects from being unserialized

Vendor(s)

Sensio Labs

Product(s)

Symfony

Affected version(s)

Symfony 2.8.0 to 2.8.49
Symfony 3.4.0 to 3.4.25
Symfony 4.1.0 to 4.1.11
Symfony 4.2.0 to 4.2.6

Fixed version(s)

Symfony 2.8.50
Symfony 3.4.26
Symfony 4.1.12
Symfony 4.2.7

Proof of concept

Unknown

Description

When unserialize() is called with content coming from user input, malicious payloads could be used to trigger file deletions or raw output being echoed.

Technical details

Unknown

Credits

Mindaugas Vedegys

Reference(s)

CVE-2019-10912: Prevent destructors with side-effects from being unserialized
https://symfony.com/blog/cve-2019-10912-prevent-destructors-with-side-effects-from-being-unserialized

TYPO3-CORE-SA-2019-016: Possible deserialization side-effects in symfony/cache
https://typo3.org/security/advisory/typo3-core-sa-2019-016/

CVE-2019-10912
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10912

CVE-2019-10912
https://nvd.nist.gov/vuln/detail/CVE-2019-10912

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 11, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.