{"id":"CVE-2019-18888","details":"An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).","aliases":["GHSA-xhh6-956q-4q69"],"modified":"2026-02-24T01:18:56.673092Z","published":"2019-11-21T23:15:13.530Z","references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/"},{"type":"ADVISORY","url":"https://github.com/symfony/symfony/releases/tag/v4.3.8"},{"type":"ADVISORY","url":"https://symfony.com/blog/cve-2019-18888-prevent-argument-injection-in-a-mimetypeguesser"},{"type":"ADVISORY","url":"https://symfony.com/blog/symfony-4-3-8-released"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/security-http","events":[{"introduced":"13594beb3faaeea891aaae9eeea8ffde16a99faf"},{"last_affected":"a2f67dfe0ecfb713734847f4ada0f4231e28ae71"},{"introduced":"33c98765dc6fec4907b7431d10e3c0945f061108"},{"last_affected":"8b123e7469953fa8e4112a02692dde2b6fdb0a7f"},{"introduced":"34e089af7d363bd2ded8ad15f06b2b97348b97e5"},{"last_affected":"a3eddd912d93a8c77ffee2b31448e13864257f4e"},{"introduced":"a8d5dd00894f8b5e3edb897f4504c51ddc442370"},{"last_affected":"7e0b49a8d10e31c0cd0431bbc99b20b6c5be4fb7"}]}],"versions":["v2.7.10","v2.7.12","v2.7.13","v2.7.14","v2.7.15","v2.7.16","v2.7.17","v2.7.18","v2.7.19","v2.7.20","v2.7.21","v2.7.22","v2.7.23","v2.7.24","v2.7.25","v2.7.26","v2.7.27","v2.7.28","v2.7.29","v2.7.30","v2.7.31","v2.7.32","v2.7.33","v2.7.34","v2.7.35","v2.7.36","v2.7.37","v2.7.38","v2.7.39","v2.7.40","v2.7.41","v2.7.42","v2.7.43","v2.7.44","v2.7.45","v2.7.46","v2.7.47","v2.7.48","v2.7.49","v2.7.50","v2.7.8","v2.7.9","v2.8.0","v2.8.1","v2.8.10","v2.8.11","v2.8.12","v2.8.13","v2.8.14","v2.8.15","v2.8.16","v2.8.17","v2.8.18","v2.8.19","v2.8.2","v2.8.20","v2.8.21","v2.8.22","v2.8.23","v2.8.24","v2.8.25","v2.8.26","v2.8.27","v2.8.28","v2.8.29","v2.8.3","v2.8.30","v2.8.31","v2.8.32","v2.8.33","v2.8.34","v2.8.35","v2.8.36","v2.8.37","v2.8.38","v2.8.39","v2.8.4","v2.8.40","v2.8.41","v2.8.42","v2.8.43","v2.8.44","v2.8.45","v2.8.46","v2.8.47","v2.8.48","v2.8.49","v2.8.5","v2.8.50","v2.8.52","v2.8.6","v2.8.7","v2.8.8","v2.8.9","v3.3.15","v3.3.16","v3.4.0","v3.4.0-RC1","v3.4.0-RC2","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v3.4.18","v3.4.19","v3.4.2","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.3","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v3.4.34","v3.4.35","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v4.0.0","v4.0.0-BETA1","v4.0.0-BETA2","v4.0.0-BETA3","v4.0.0-BETA4","v4.0.0-RC1","v4.0.0-RC2","v4.0.1","v4.0.10","v4.0.11","v4.0.12","v4.0.13","v4.0.14","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.0.9","v4.1.0","v4.1.0-BETA1","v4.1.0-BETA2","v4.1.0-BETA3","v4.1.1","v4.1.10","v4.1.11","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.1.9","v4.2.0","v4.2.0-BETA1","v4.2.0-BETA2","v4.2.0-RC1","v4.2.1","v4.2.10","v4.2.11","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9","v4.3.0","v4.3.0-RC1","v4.3.1","v4.3.2","v4.3.3","v4.3.4","v4.3.5","v4.3.6","v4.3.7"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18888.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"0a47db379b8cc74cdd84e1e6870fafc4a4ac8351"},{"last_affected":"c461582064eabe9b93b225be589dd6740620ce0f"},{"introduced":"0bf8d128ef3c492436ab5f1b7c7b130f9e96aad2"},{"last_affected":"fb4065ac95f08ca26ee605936e537ba2cd4a6bb7"},{"introduced":"5615b92cd452cd54f1433a3f53de87c096a1107f"},{"last_affected":"2ef4e09343bdbdee0a7968f58b8ec594ce0aa47d"},{"introduced":"7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483"},{"last_affected":"2ba6f17744ee8649ac107039f64d1ee4c959bf32"}]}],"versions":["v2.3.36","v2.3.37","v2.3.38","v2.3.39","v2.3.40","v2.3.41","v2.3.42","v2.7.10","v2.7.11","v2.7.12","v2.7.13","v2.7.14","v2.7.15","v2.7.16","v2.7.17","v2.7.18","v2.7.19","v2.7.20","v2.7.21","v2.7.22","v2.7.23","v2.7.24","v2.7.25","v2.7.26","v2.7.27","v2.7.28","v2.7.29","v2.7.30","v2.7.31","v2.7.32","v2.7.33","v2.7.34","v2.7.35","v2.7.36","v2.7.37","v2.7.38","v2.7.39","v2.7.40","v2.7.41","v2.7.42","v2.7.43","v2.7.44","v2.7.45","v2.7.46","v2.7.47","v2.7.48","v2.7.49","v2.7.8","v2.7.9","v2.8.0","v2.8.1","v2.8.10","v2.8.11","v2.8.12","v2.8.13","v2.8.14","v2.8.15","v2.8.16","v2.8.17","v2.8.18","v2.8.19","v2.8.2","v2.8.20","v2.8.21","v2.8.22","v2.8.23","v2.8.24","v2.8.25","v2.8.26","v2.8.27","v2.8.28","v2.8.29","v2.8.3","v2.8.30","v2.8.31","v2.8.32","v2.8.33","v2.8.34","v2.8.35","v2.8.36","v2.8.37","v2.8.38","v2.8.39","v2.8.4","v2.8.40","v2.8.41","v2.8.42","v2.8.43","v2.8.44","v2.8.45","v2.8.46","v2.8.47","v2.8.48","v2.8.49","v2.8.5","v2.8.50","v2.8.6","v2.8.7","v2.8.8","v2.8.9","v3.3.14","v3.3.15","v3.4.0","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v3.4.18","v3.4.19","v3.4.2","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.3","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v3.4.34","v3.4.4","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v4.0.0","v4.0.0-BETA1","v4.0.0-BETA2","v4.0.0-BETA3","v4.0.0-BETA4","v4.0.0-RC1","v4.0.0-RC2","v4.0.1","v4.0.10","v4.0.11","v4.0.12","v4.0.13","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.0.9","v4.1.0","v4.1.0-BETA1","v4.1.0-BETA2","v4.1.0-BETA3","v4.1.1","v4.1.10","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.1.9","v4.2.0","v4.2.0-BETA1","v4.2.0-BETA2","v4.2.0-RC1","v4.2.1","v4.2.10","v4.2.11","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18888.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}