Deserialization of untrusted data in Symfony
High severity
GitHub Reviewed
Published
Feb 12, 2020
to the GitHub Advisory Database
•
Updated Feb 5, 2024
Package
Affected versions
>= 3.1.0, < 3.4.26
>= 4.0.0, < 4.1.12
>= 4.2.0, < 4.2.7
Patched versions
3.4.26
4.1.12
4.2.7
>= 2.8.0, < 2.8.50
>= 3.0.0, < 3.4.26
>= 4.0.0, < 4.1.12
>= 4.2.0, < 4.2.7
2.8.50
3.4.26
4.1.12
4.2.7
>= 2.8.0, < 2.8.50
>= 3.0.0, < 3.4.26
>= 4.0.0, < 4.1.12
>= 4.2.0, < 4.2.7
2.8.50
3.4.26
4.1.12
4.2.7
Description
Published by the National Vulnerability Database
May 16, 2019
Reviewed
Feb 11, 2020
Published to the GitHub Advisory Database
Feb 12, 2020
Last updated
Feb 5, 2024
In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge.
References