CVE-2019-10910
published 2019-05-16CVE-2019-10910: In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could…
PriorityP260critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
5.49%
91.8th percentile
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | symfony | < symfony 3.4.22+dfsg-2 (bookworm) | symfony 3.4.22+dfsg-2 (bookworm) |
| drupal | core | >= 8.0.0 < 8.5.15 | 8.5.15 |
| drupal | core | >= 8.6.0 < 8.6.15 | 8.6.15 |
| drupal | drupal | >= 8.5.0 < 8.5.15 | 8.5.15 |
| drupal | drupal | >= 8.6.0 < 8.6.15 | 8.6.15 |
| drupal | drupal_core | — | — |
| sensiolabs | symfony | >= 2.7.0 < 2.7.51 | 2.7.51 |
| sensiolabs | symfony | >= 2.8.0 < 2.8.50 | 2.8.50 |
| sensiolabs | symfony | >= 3.4.0 < 3.4.26 | 3.4.26 |
| sensiolabs | symfony | >= 4.1.0 < 4.1.12 | 4.1.12 |
| sensiolabs | symfony | >= 4.2.0 < 4.2.7 | 4.2.7 |
| symfony | dependency-injection | >= 2.7.0 < 2.7.51 | 2.7.51 |
| symfony | dependency-injection | >= 2.8.0 < 2.8.50 | 2.8.50 |
| symfony | dependency-injection | >= 3.0.0 < 3.4.26 | 3.4.26 |
| symfony | dependency-injection | >= 4.0.0 < 4.1.12 | 4.1.12 |
| symfony | dependency-injection | >= 4.2.0 < 4.2.7 | 4.2.7 |
| symfony | proxy-manager-bridge | >= 2.7.0 < 2.7.51 | 2.7.51 |
| symfony | proxy-manager-bridge | >= 2.8.0 < 2.8.50 | 2.8.50 |
| symfony | proxy-manager-bridge | >= 3.0.0 < 3.4.26 | 3.4.26 |
| symfony | proxy-manager-bridge | >= 4.0.0 < 4.1.12 | 4.1.12 |
| symfony | proxy-manager-bridge | >= 4.2.0 < 4.2.7 | 4.2.7 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
| symfony | symfony | >= 0 < 3.4.22+dfsg-2 | 3.4.22+dfsg-2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Service IDs derived from unfiltered user input in Symfony's dependency-injection component can lead to arbitrary code execution; monitor for unexpected or malformed service ID values in application input that reach the DI container. ↗
- →The vulnerability is scoped to the symfony/dependency-injection component; audit code paths where user-controlled strings are passed as service identifiers. ↗
- →Affected Symfony versions to flag in dependency scans: before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7. ↗
- ·The vulnerability is only exploitable when service IDs are constructed from or influenced by user-supplied input; applications that do not expose service ID resolution to user input are not affected. ↗
- ·Drupal deployments are affected through their bundled/required Symfony dependency-injection component; Drupal 8.6 and 8.5 lines both required patching (8.6.15 / 8.5.15 respectively). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Drupal
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
vendor_drupal·2019-04-17·CVSS 5.4
CVE-2019-10909 [MEDIUM] Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
Title: Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
Vulnerability Type: Multiple Vulnerabilities
Description: This security release fixes third-party dependencies included in or required by Drupal core. CVE-2019-10909: Escape validation messages in the PHP templating engine . From that advisory: Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS. CVE-2019-10910: Check service IDs are valid . From that advisory: Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution. CVE-2019-10911: Add a separator in the remember me cookie hash . From that advisory
Debian
CVE-2019-10910: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1...
vendor_debian·2019·CVSS 9.8
CVE-2019-10910 [CRITICAL] CVE-2019-10910: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1...
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
Scope: local
bookworm: resolved (fixed in 3.4.22+dfsg-2)
bullseye: resolved (fixed in 3.4.22+dfsg-2)
forky: resolved (fixed in 3.4.22+dfsg-2)
sid: resolved (fixed in 3.4.22+dfsg-2)
trixie: resolved (fixed in 3.4.22+dfsg-2)
GHSA
Symfony Service IDs Allow Injection
ghsa·2019-11-18
CVE-2019-10910 [CRITICAL] CWE-89 Symfony Service IDs Allow Injection
Symfony Service IDs Allow Injection
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
OSV
Symfony Service IDs Allow Injection
osv·2019-11-18
CVE-2019-10910 [CRITICAL] Symfony Service IDs Allow Injection
Symfony Service IDs Allow Injection
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
OSV
CVE-2019-10910: In Symfony before 2
osv·2019-05-16·CVSS 9.8
CVE-2019-10910 [CRITICAL] CVE-2019-10910: In Symfony before 2
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
OSV
CVE-2019-10909: This security release fixes third-party dependencies included in or required by Drupal core
osv·2019-04-17·CVSS 5.4
CVE-2019-10909 [MEDIUM] CVE-2019-10909: This security release fixes third-party dependencies included in or required by Drupal core
This security release fixes third-party dependencies included in or required by Drupal core.
* [CVE-2019-10909: Escape validation messages in the PHP templating engine](https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine). From that advisory:
> Validation messages were not escaped when using the form theme of the PHP templating engine which, when validation messages may contain user input, could result in an XSS.
* [CVE-2019-10910: Check service IDs are valid](https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid). From that advisory:
> Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.
* [CVE-2019-10911: Add a separator in the remember me
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [epel-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [epel-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog an
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7
Multiple vulnerabilities were discovered in the Symfony PHP framework
which could lead to cache bypass, authentication bypass, information
disclosure, open redirect, cross-site request forgery, deletion of
arbitrary files, or arbitrary code execution.
References:
https://www.debian.org/security/2019/dsa-4441
https://security-tracker.debian.org/tracker/symfony
Discussion:
Created php-symfony tracking bugs for this issue:
Affects: epel-all [bug 1719512]
Affects: fedora-all [bug 1719511]
Created php-symfony3 tracking bugs for this issue:
Affects: fedora-all [bug 1719513]
Created php-symfony4 tracking bugs for this issue:
Affects: fe
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelo
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony4: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony4: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony4: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in th
Bugzilla
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony3: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
bugzilla·2019-06-12·CVSS 5.3
CVE-2019-10909 [MEDIUM] CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony3: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
CVE-2019-10909 CVE-2019-10910 CVE-2019-10912 CVE-2019-10913 CVE-2018-19790 CVE-2018-19789 php-symfony3: php-symfony: Multiple vulnerabilities fixed in symfony 2.8.7 [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in th
https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737bhttps://symfony.com/blog/cve-2019-10910-check-service-ids-are-validhttps://www.synology.com/security/advisory/Synology_SA_19_19https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737bhttps://symfony.com/blog/cve-2019-10910-check-service-ids-are-validhttps://www.synology.com/security/advisory/Synology_SA_19_19
2019-05-16
Published