Skip to main content

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CVE-2019-18888

Severity High
Score 7.5/10

Summary

An issue was discovered in Symfony 2.8.0 before 2.8.52, 3.x up to 3.4.34, 4.x up to 4.2.11, 4.3.0 through 4.3.7, 4.4.0-BETA1 and 5.0.0-BETA1. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).

  • LOW
  • NETWORK
  • HIGH
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • NONE

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

Advisory Timeline

  • Published