Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symfonySymfony SASSYMFONY:CVE-2019-10910-CHECK-SERVICE-IDS-ARE-VALID
HistoryApr 17, 2019 - 12:00 a.m.

CVE-2019-10910: Check service IDs are valid

2019-04-1700:00:00
Symfony SAS
symfony.com
14

7.9 High

AI Score

Confidence

High

JSON

Affected versions

Symfony 2.7.0 to 2.7.50, 2.8.0 to 2.8.49, 3.4.0 to 3.4.25, 4.1.0 to 4.1.11 and 4.2.0 to 4.2.6 versions of the Symfony Dependency Injection component are affected by this security issue.

The issue has been fixed in Symfony 2.7.51, 2.8.50, 3.4.26, 4.1.12 and 4.2.7.

Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, and 4.0 as they are not maintained anymore.

Description

Service IDs derived from unfiltered user input could result in the execution of any arbitrary code, resulting in possible remote code execution.

Resolution

On setting of an alias or a service we both confirm that the id does not contain certain characters and that ids are escaped while being dumped.

The patch for this issue is available here for branch 3.4.

Credits

I would like to thank Nicolas Grekas for reporting & fixing the issue.

Log in to add a reaction to this post

add a reaction ❤ 👍 🚀

Published in #Security Advisories

Related

osv 4
ubuntucve 1
prion 1
cve 1
veracode 1
github 1
debiancve 1
nessus 12
fedora 11
freebsd 1
thn 1
drupal 1
openvas 8
debian 3
ibm 1
osv
osv
CVE-2019-10910
2019-05-16 22:29:00
Symfony Service IDs Allow Injection
2019-11-18 17:27:31
symfony - security update
2019-05-06 00:00:00
ubuntucve
ubuntucve
CVE-2019-10910
2019-05-16 00:00:00
prion
prion
Sql injection
2019-05-16 22:29:00
cve
cve
CVE-2019-10910
2019-05-16 22:29:00
veracode
veracode
Remote Code Execution (RCE)
2019-04-18 02:43:58
github
github
Symfony Service IDs Allow Injection
2019-11-18 17:27:31
debiancve
debiancve
CVE-2019-10910
2019-05-16 22:29:00
nessus
nessus
Drupal 7.x < 7.66 / 8.5.x < 8.5.15 / 8.6.x < 8.6.15 Multiple Vulnerabilities (drupal-2019-04-17)
2019-04-19 00:00:00
FreeBSD : drupal -- Drupal core - Moderately critical (2bad8b5d-66fb-11e9-9815-78acc0a3b880)
2019-04-25 00:00:00
Fedora 29 : drupal8 (2019-7eaf0bbe7c)
2019-05-08 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: php-symfony3-3.4.26-1.fc29
2019-04-27 23:12:02
[SECURITY] Fedora 30 Update: php-symfony3-3.4.26-1.fc30
2019-04-27 21:35:08
[SECURITY] Fedora 30 Update: php-symfony4-4.2.7-2.fc30
2019-04-27 21:35:09
freebsd
freebsd
drupal -- Drupal core - Moderately critical
2019-04-17 00:00:00
thn
thn
Drupal Releases Core CMS Updates to Patch Several Vulnerabilities
2019-04-17 21:51:00
drupal
drupal
Drupal core - Moderately critical - Multiple Vulnerabilities - SA-CORE-2019-005
2019-04-17 00:00:00
openvas
openvas
Drupal 8.x Multiple Vulnerabilities (SA-CORE-2019-005) - Windows
2019-04-24 00:00:00
Drupal 8.x Multiple Vulnerabilities (SA-CORE-2019-005) - Linux
2019-04-24 00:00:00
Symfony 2.7.x < 2.7.51, 2.8.x < 2.8.50, 3.x < 3.4.26, 4.x < 4.1.12, 4.2.x < 4.2.7 Multiple Vulnerabilities
2019-05-20 00:00:00
debian
debian
[SECURITY] [DLA 1778-1] symfony security update
2019-05-06 19:15:39
[SECURITY] [DSA 4441-1] symfony security update
2019-05-10 06:26:19
[SECURITY] [DSA 4441-1] symfony security update
2019-05-10 06:26:19
ibm
ibm
Security Bulletin: IBM API Connect's Developer Portal is impacted by vulnerabilities in Drupal core (CVE-2019-10909 CVE-2019-10910 CVE-2019-10911 CVE-2019-11358)
2019-05-31 13:40:01

7.9 High

AI Score

Confidence

High

JSON
Related for SYMFONY:CVE-2019-10910-CHECK-SERVICE-IDS-ARE-VALID
osv4ubuntucve1prion1cve1veracode1github1debiancve1nessus12fedora11freebsd1thn1drupal1openvas8debian3ibm1