logo

Database

SQL injection - Code In symfony/dependency-injection

Description

Symfony Service IDs Allow Injection In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-109102. NVD-2019-109103. OSV-2019-109104. OSV-DEBIAN-2019-109105. GCVE-2019-109106. SECURITY-TRACKER-CVE-2019-10910

References

1. https://github.com/symfony/symfony/commit/3876c75f858d5d82e2c309698d21af2f1d721afb2. https://github.com/symfony/symfony/commit/4c80c3444854ef384df94deb4acbcef4b5e5243b3. https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dependency-injection/CVE-2019-10910.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/proxy-manager-bridge/CVE-2019-10910.yaml6. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10910.yaml7. https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid8. https://symfony.com/cve-2019-109109. https://www.synology.com/security/advisory/Synology_SA_19_19

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.