CVE-2019-10910: Symfony Service IDs Allow Injection
(updated )
In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dependency-injection/CVE-2019-10910.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/proxy-manager-bridge/CVE-2019-10910.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10910.yaml
- github.com/advisories/GHSA-pgwj-prpq-jpc2
- github.com/symfony/symfony
- github.com/symfony/symfony/commit/3876c75f858d5d82e2c309698d21af2f1d721afb
- github.com/symfony/symfony/commit/4c80c3444854ef384df94deb4acbcef4b5e5243b
- github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b
- nvd.nist.gov/vuln/detail/CVE-2019-10910
- symfony.com/blog/cve-2019-10910-check-service-ids-are-valid
- symfony.com/cve-2019-10910
- www.synology.com/security/advisory/Synology_SA_19_19
Code Behaviors & Features
Detect and mitigate CVE-2019-10910 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →