CVE-2019-10910
CRITICAL9.8EPSS 11.9%Symfony Service IDs Allow Injection
發布日:2019/11/18修改日:2026/5/27
描述
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
受影響套件(4)
- Debian/symfonyfrom 0, < 3.4.22+dfsg-2
- Packagist/symfony/dependency-injection>= 2.7.0, < 2.7.51
- Packagist/symfony/proxy-manager-bridge>= 2.7.0, < 2.7.51
- Packagist/symfony/symfony>= 2.7.0, < 2.7.51
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(12)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10910
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10910
- PATCHhttps://github.com/symfony/symfony
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dependency-injection/CVE-2019-10910.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/proxy-manager-bridge/CVE-2019-10910.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10910.yaml
- WEBhttps://github.com/symfony/symfony/commit/3876c75f858d5d82e2c309698d21af2f1d721afb
- WEBhttps://github.com/symfony/symfony/commit/4c80c3444854ef384df94deb4acbcef4b5e5243b
- WEBhttps://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b
- WEBhttps://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid
- WEBhttps://symfony.com/cve-2019-10910
- WEBhttps://www.synology.com/security/advisory/Synology_SA_19_19