CVE-2019-10910

high-risk
Published 2019-05-16

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Do I need to act?

!
12.3% chance of exploitation in next 30 days
EPSS score — higher than 88% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: c5bc3922f27c93ab3669428a504212adb801400f, 91ded4b7776e05ee9633bdc1c458b41c718133e0, 20f9c87a12a0749ad3a96da256b4d0f95aad4beb, 2ef4e09343bdbdee0a7968f58b8ec594ce0aa47d, 1b89e7baec9891c323bbf1ec81af77d901fc60c9, 482d06316077da115e5dac2afd2a7ce9f5f100f7, 6122c791d640b75702514c18c8aae816dbbefae2, d2fb5893923292a1da7985f0b56960b5bb10737b
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Drupal Sensiolabs

References (6)

Patch https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb1073...
Exploit https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid
Third Party Advisory https://www.synology.com/security/advisory/Synology_SA_19_19
Patch https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb1073...
Exploit https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid
Third Party Advisory https://www.synology.com/security/advisory/Synology_SA_19_19
51
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 12/34 · Low
Exposure 7/34 · Low