CVE-2019-10910
CRITICAL severity · CVSS 9.8 · SQL injection
9.8CVSS CRITICAL
Summary
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionNone
Confidentiality impactHigh
Integrity impactHigh
Availability impactHigh
Exploit probability (EPSS)12%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Official patch: https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b ↗
Additional information
- NVD record
- https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737bPatch
- https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737bPatch
- https://www.synology.com/security/advisory/Synology_SA_19_19Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_19Advisory
- https://symfony.com/blog/cve-2019-10910-check-service-ids-are-validAdvisory
- https://symfony.com/blog/cve-2019-10910-check-service-ids-are-validAdvisory