Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
debianDebianDEBIAN:DLA-1778-1:38F11
HistoryMay 06, 2019 - 7:15 p.m.

[SECURITY] [DLA 1778-1] symfony security update

2019-05-0619:15:39
lists.debian.org
99

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

59.3%

JSON

Package : symfony
Version : 2.3.21+dfsg-4+deb8u5
CVE ID : CVE-2019-10909 CVE-2019-10910 CVE-2019-10911
CVE-2019-10913

Several security vulnerabilities have been discovered in symfony, a PHP
web application framework. Numerous symfony components are affected:
Framework Bundle, Dependency Injection, Security, HttpFoundation

CVE-2019-10909

Validation messages were not escaped when using the form theme of
the PHP templating engine which, when validation messages may
contain user input, could result in an XSS.

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10909-escape-validation-messages-in-the-php-templating-engine

CVE-2019-10910

Service IDs derived from unfiltered user input could result in the
execution of any arbitrary code, resulting in possible remote code
execution.

For further information, see the upstream advisory at
https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid

CVE-2019-10911

This fixes situations where part of an expiry time in a cookie could
be considered part of the username, or part of the username could be
considered part of the expiry time. An attacker could modify the
remember me cookie and authenticate as a different user. This attack
is only possible if remember me functionality is enabled and the two
users share a password hash or the password hashes (e.g.
UserInterface::getPassword()) are null for all users (which is valid
if passwords are checked by an external system, e.g. an SSO).

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash

CVE-2019-10913

HTTP methods, from either the HTTP method itself or using the
X-Http-Method-Override header were previously returned as the method
in question without validation being done on the string, meaning
that they could be used in dangerous contexts when left unescaped.

For further information, see the upstream advisory at

https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides

For Debian 8 "Jessie", these problems have been fixed in version
2.3.21+dfsg-4+deb8u5.

We recommend that you upgrade your symfony packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

Jonas Meurer

OSVersionArchitecturePackageVersionFilename
Debian9allphp-symfony-swiftmailer-bridge< 2.8.7+dfsg-1.3+deb9u2php-symfony-swiftmailer-bridge_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian9allphp-symfony-security-core< 2.8.7+dfsg-1.3+deb9u2php-symfony-security-core_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian8allphp-symfony-locale< 2.3.21+dfsg-4+deb8u5php-symfony-locale_2.3.21+dfsg-4+deb8u5_all.deb
Debian8allphp-symfony-eventdispatcher< 2.3.21+dfsg-4+deb8u5php-symfony-eventdispatcher_2.3.21+dfsg-4+deb8u5_all.deb
Debian8allphp-symfony-debug< 2.3.21+dfsg-4+deb8u5php-symfony-debug_2.3.21+dfsg-4+deb8u5_all.deb
Debian9allphp-symfony< 2.8.7+dfsg-1.3+deb9u2php-symfony_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian8allphp-symfony-stopwatch< 2.3.21+dfsg-4+deb8u5php-symfony-stopwatch_2.3.21+dfsg-4+deb8u5_all.deb
Debian9allphp-symfony-phpunit-bridge< 2.8.7+dfsg-1.3+deb9u2php-symfony-phpunit-bridge_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian9allphp-symfony-debug< 2.8.7+dfsg-1.3+deb9u2php-symfony-debug_2.8.7+dfsg-1.3+deb9u2_all.deb
Debian8allphp-symfony-http-foundation< 2.3.21+dfsg-4+deb8u5php-symfony-http-foundation_2.3.21+dfsg-4+deb8u5_all.deb
Rows per page:
1-10 of 891

Related

nessus 12
osv 10
openvas 8
fedora 11
freebsd 1
drupal 1
ibm 1
debian 2
thn 1
ubuntucve 4
prion 4
cve 4
github 4
symfony 4
debiancve 4
veracode 4
redhatcve 1
nessus
nessus
Debian DLA-1778-1 : symfony security update
2019-05-07 00:00:00
Fedora 29 : php-symfony4 (2019-32067d8b15)
2019-04-29 00:00:00
Fedora 28 : php-symfony (2019-3ee6a7adf2)
2019-04-29 00:00:00
osv
osv
symfony - security update
2019-05-06 00:00:00
symfony - security update
2019-05-10 00:00:00
Symfony Cross-site Scripting (XSS) vulnerability
2019-11-12 23:00:53
openvas
openvas
Symfony 2.7.x < 2.7.51, 2.8.x < 2.8.50, 3.x < 3.4.26, 4.x < 4.1.12, 4.2.x < 4.2.7 Multiple Vulnerabilities
2019-05-20 00:00:00
Debian: Security Advisory (DLA-1778-1)
2019-05-07 00:00:00
Drupal 8.x Multiple Vulnerabilities (SA-CORE-2019-005) - Windows
2019-04-24 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: php-symfony4-4.1.12-1.fc29
2019-04-27 23:12:03
[SECURITY] Fedora 29 Update: php-symfony-2.8.51-1.fc29
2019-04-27 23:12:01
[SECURITY] Fedora 29 Update: php-symfony3-3.4.26-1.fc29
2019-04-27 23:12:02
freebsd
freebsd
drupal -- Drupal core - Moderately critical
2019-04-17 00:00:00
drupal
drupal
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
2019-04-17 00:00:00
ibm
ibm
Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in Drupal core (CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-11358)
2019-05-31 13:40:01
debian
debian
[SECURITY] [DSA 4441-1] symfony security update
2019-05-10 06:26:19
[SECURITY] [DSA 4441-1] symfony security update
2019-05-10 06:26:19
thn
thn
Drupal Releases Core CMS Updates to Patch Several Vulnerabilities
2019-04-17 21:51:00
ubuntucve
ubuntucve
CVE-2019-10909
2019-05-16 00:00:00
CVE-2019-10910
2019-05-16 00:00:00
CVE-2019-10913
2019-05-16 00:00:00
prion
prion
Input validation
2019-05-16 22:29:00
Sql injection
2019-05-16 22:29:00
Sql injection
2019-05-16 22:29:00
cve
cve
CVE-2019-10909
2019-05-16 22:29:00
CVE-2019-10910
2019-05-16 22:29:00
CVE-2019-10913
2019-05-16 22:29:00
github
github
Symfony Cross-site Scripting (XSS) vulnerability
2019-11-12 23:00:53
Symfony Service IDs Allow Injection
2019-11-18 17:27:31
Invalid HTTP method overrides allow possible XSS or other attacks in Symfony
2019-12-02 18:10:24
symfony
symfony
CVE-2019-10909: Escape validation messages in the PHP templating engine
2019-04-17 00:00:00
CVE-2019-10910: Check service IDs are valid
2019-04-17 00:00:00
CVE-2019-10913: Reject invalid HTTP method overrides
2019-04-17 00:00:00
debiancve
debiancve
CVE-2019-10909
2019-05-16 22:29:00
CVE-2019-10910
2019-05-16 22:29:00
CVE-2019-10913
2019-05-16 22:29:00
veracode
veracode
Remote Code Execution (RCE)
2019-04-18 02:43:58
Cross-site Scripting (XSS)
2019-04-18 04:55:27
Authorization Bypass
2019-04-18 03:06:29
redhatcve
redhatcve
CVE-2019-10911
2022-05-20 22:45:13

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

59.3%

JSON
Related for DEBIAN:DLA-1778-1:38F11
nessus12osv10openvas8fedora11freebsd1drupal1ibm1debian2thn1ubuntucve4prion4cve4github4symfony4debiancve4veracode4redhatcve1