CVE-2019-10910

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Published: May 17, 2019
Updated: May 9, 2024
CVE: CVE-2019-10910
GHSA: GHSA-pgwj-prpq-jpc2
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-89

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
sensiolabs / symfony	4.2.0	4.2.7
sensiolabs / symfony	4.1.0	4.1.12
sensiolabs / symfony	3.4.0	3.4.26
sensiolabs / symfony	2.8.0	2.8.50
sensiolabs / symfony	2.7.0	2.7.51
drupal / drupal	8.5.0	8.5.15
drupal / drupal	8.6.0	8.6.15
symfony / dependency-injection	2.7.0	2.7.51
symfony / dependency-injection	2.8.0	2.8.50
symfony / dependency-injection	3.0.0	3.4.26
symfony / dependency-injection	4.0.0	4.1.12
symfony / dependency-injection	4.2.0	4.2.7
symfony / proxy-manager-bridge	2.7.0	2.7.51
symfony / proxy-manager-bridge	2.8.0	2.8.50
symfony / proxy-manager-bridge	3.0.0	3.4.26
symfony / proxy-manager-bridge	4.0.0	4.1.12
symfony / proxy-manager-bridge	4.2.0	4.2.7
symfony / symfony	2.7.0	2.7.51
symfony / symfony	2.8.0	2.8.50
symfony / symfony	3.0.0	3.4.26
symfony / symfony	4.0.0	4.1.12
symfony / symfony	4.2.0	4.2.7

Vulnerability Database

289,599

CVE-2019-10910