PT-2019-3291 · Symfony · Symfony
Nicolas Grekas
·
Published
2019-04-17
·
Updated
2021-09-29
·
CVE-2019-10910
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Symfony versions prior to 2.7.51
Symfony versions 2.8.x prior to 2.8.50
Symfony versions 3.x prior to 3.4.26
Symfony versions 4.x prior to 4.1.12
Symfony versions 4.2.x prior to 4.2.7
Description
The issue is related to the symfony/dependency-injection component and occurs when service ids allow user input. This could allow for SQL Injection and remote code execution due to a lack of protection measures for SQL query structures.
Recommendations
For Symfony versions prior to 2.7.51, update to version 2.7.51 or later.
For Symfony versions 2.8.x prior to 2.8.50, update to version 2.8.50 or later.
For Symfony versions 3.x prior to 3.4.26, update to version 3.4.26 or later.
For Symfony versions 4.x prior to 4.1.12, update to version 4.1.12 or later.
For Symfony versions 4.2.x prior to 4.2.7, update to version 4.2.7 or later.
Exploit
Fix
RCE
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Symfony