Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CVE-2019-18888
Summary
An issue was discovered in Symfony 2.8.0 before 2.8.52, 3.x up to 3.4.34, 4.x up to 4.2.11, 4.3.0 through 4.3.7, 4.4.0-BETA1 and 5.0.0-BETA1. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- NONE
- NONE
- NONE
CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
References
Advisory Timeline
- Published