CVE-2019-10910
CRITICAL9.8EPSS 11.9%Symfony Service IDs Allow Injection
Published: 11/18/2019Modified: 5/27/2026
Description
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
Affected packages (4)
- Debian/symfonyfrom 0, < 3.4.22+dfsg-2
- Packagist/symfony/dependency-injection>= 2.7.0, < 2.7.51
- Packagist/symfony/proxy-manager-bridge>= 2.7.0, < 2.7.51
- Packagist/symfony/symfony>= 2.7.0, < 2.7.51
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10910
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10910
- PATCHhttps://github.com/symfony/symfony
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dependency-injection/CVE-2019-10910.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/proxy-manager-bridge/CVE-2019-10910.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10910.yaml
- WEBhttps://github.com/symfony/symfony/commit/3876c75f858d5d82e2c309698d21af2f1d721afb
- WEBhttps://github.com/symfony/symfony/commit/4c80c3444854ef384df94deb4acbcef4b5e5243b
- WEBhttps://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b
- WEBhttps://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid
- WEBhttps://symfony.com/cve-2019-10910
- WEBhttps://www.synology.com/security/advisory/Synology_SA_19_19