Vulnerability Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sensiolabs | Symfony | >= 2.7.0, < 2.7.51 |
| Drupal | Drupal | >= 8.5.0, < 8.5.15 |
Related Weaknesses (CWE)
References
- https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb1073Patch
- https://symfony.com/blog/cve-2019-10910-check-service-ids-are-validExploitThird Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_19Third Party Advisory
- https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb1073Patch
- https://symfony.com/blog/cve-2019-10910-check-service-ids-are-validExploitThird Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_19Third Party Advisory
FAQ
What is CVE-2019-10910?
CVE-2019-10910 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execu...
How severe is CVE-2019-10910?
CVE-2019-10910 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-10910?
Check the references section above for vendor advisories and patch information. Affected products include: Sensiolabs Symfony, Drupal Drupal.