cbcvebase.
CVE-2019-10910
published 2019-05-16

CVE-2019-10910: In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could…

PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.49%
91.8th percentile
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Affected

30 ranges· showing 25
VendorProductVersion rangeFixed in
debiansymfony< symfony 3.4.22+dfsg-2 (bookworm)symfony 3.4.22+dfsg-2 (bookworm)
drupalcore>= 8.0.0 < 8.5.158.5.15
drupalcore>= 8.6.0 < 8.6.158.6.15
drupaldrupal>= 8.5.0 < 8.5.158.5.15
drupaldrupal>= 8.6.0 < 8.6.158.6.15
drupaldrupal_core
sensiolabssymfony>= 2.7.0 < 2.7.512.7.51
sensiolabssymfony>= 2.8.0 < 2.8.502.8.50
sensiolabssymfony>= 3.4.0 < 3.4.263.4.26
sensiolabssymfony>= 4.1.0 < 4.1.124.1.12
sensiolabssymfony>= 4.2.0 < 4.2.74.2.7
symfonydependency-injection>= 2.7.0 < 2.7.512.7.51
symfonydependency-injection>= 2.8.0 < 2.8.502.8.50
symfonydependency-injection>= 3.0.0 < 3.4.263.4.26
symfonydependency-injection>= 4.0.0 < 4.1.124.1.12
symfonydependency-injection>= 4.2.0 < 4.2.74.2.7
symfonyproxy-manager-bridge>= 2.7.0 < 2.7.512.7.51
symfonyproxy-manager-bridge>= 2.8.0 < 2.8.502.8.50
symfonyproxy-manager-bridge>= 3.0.0 < 3.4.263.4.26
symfonyproxy-manager-bridge>= 4.0.0 < 4.1.124.1.12
symfonyproxy-manager-bridge>= 4.2.0 < 4.2.74.2.7
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2
symfonysymfony>= 0 < 3.4.22+dfsg-23.4.22+dfsg-2

Detection & IOCsextracted from sources · hover to see the quote

  • Service IDs derived from unfiltered user input in Symfony's dependency-injection component can lead to arbitrary code execution; monitor for unexpected or malformed service ID values in application input that reach the DI container.
  • The vulnerability is scoped to the symfony/dependency-injection component; audit code paths where user-controlled strings are passed as service identifiers.
  • Affected Symfony versions to flag in dependency scans: before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7.
  • ·The vulnerability is only exploitable when service IDs are constructed from or influenced by user-supplied input; applications that do not expose service ID resolution to user input are not affected.
  • ·Drupal deployments are affected through their bundled/required Symfony dependency-injection component; Drupal 8.6 and 8.5 lines both required patching (8.6.15 / 8.5.15 respectively).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.