CVE-2019-10910 – symfony/dependency-injection

Package

Manager: composer
Name: symfony/dependency-injection
Vulnerable Version: >=2.7.0 <2.7.51 || >=2.8.0 <2.8.50 || >=3.0.0 <3.4.26 || >=4.0.0 <4.1.12 || >=4.2.0 <4.2.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.17606 pctl0.94837

Details

Symfony Service IDs Allow Injection In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Metadata

Created: 2019-11-18T17:27:31Z
Modified: 2025-05-29T22:51:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/11/GHSA-pgwj-prpq-jpc2/GHSA-pgwj-prpq-jpc2.json
CWE IDs: ["CWE-89"]
Alternative ID: GHSA-pgwj-prpq-jpc2
Finding: F297
Auto approve: 1