CVE-2019-10910 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2019-10910

CVE-2019-10910

Published:May 16, 2019

Updated:May 16, 2026

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection.

Affected Packages

symfony/dependency-injection (PHP):

Affected version(s) >=v3.0.0 <v3.4.26

Fix Suggestion:

Update to version v3.4.26

symfony/dependency-injection (PHP):

Affected version(s) >=v2.8.0 <v2.8.50

Fix Suggestion:

Update to version v2.8.50

symfony/dependency-injection (PHP):

Affected version(s) >=v4.0.0 <v4.1.12

Fix Suggestion:

Update to version v4.1.12

symfony/symfony (PHP):

Affected version(s) >=v2.8.0 <v2.8.50

Fix Suggestion:

Update to version v2.8.50

symfony/proxy-manager-bridge (PHP):

Affected version(s) >=v2.8.0 <v2.8.50

Fix Suggestion:

Update to version v2.8.50

symfony/proxy-manager-bridge (PHP):

Affected version(s) >=v2.7.0 <v2.7.51

Fix Suggestion:

Update to version v2.7.51

symfony/dependency-injection (PHP):

Affected version(s) >=v4.2.0 <v4.2.7

Fix Suggestion:

Update to version v4.2.7

symfony/symfony (PHP):

Affected version(s) >=v2.7.0 <v2.7.51

Fix Suggestion:

Update to version v2.7.51

symfony/symfony (PHP):

Affected version(s) >=v4.2.0 <v4.2.7

Fix Suggestion:

Update to version v4.2.7

symfony/proxy-manager-bridge (PHP):

Affected version(s) >=v3.0.0 <v3.4.26

Fix Suggestion:

Update to version v3.4.26

symfony/proxy-manager-bridge (PHP):

Affected version(s) >=v4.0.0 <v4.1.12

Fix Suggestion:

Update to version v4.1.12

symfony/dependency-injection (PHP):

Affected version(s) >=v2.7.0 <v2.7.51

Fix Suggestion:

Update to version v2.7.51

symfony/symfony (PHP):

Affected version(s) >=v3.0.0 <v3.4.26

Fix Suggestion:

Update to version v3.4.26

symfony/proxy-manager-bridge (PHP):

Affected version(s) >=v4.2.0 <v4.2.7

Fix Suggestion:

Update to version v4.2.7

symfony/symfony (PHP):

Affected version(s) >=v4.0.0 <v4.1.12

Fix Suggestion:

Update to version v4.1.12

Related Resources (11)

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-10910.yaml

https://nvd.nist.gov/vuln/detail/CVE-2019-10910

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/dependency-injection/CVE-2019-10910.yaml

https://symfony.com/blog/cve-2019-10910-check-service-ids-are-valid

https://github.com/symfony/symfony/commit/3876c75f858d5d82e2c309698d21af2f1d721afb

https://symfony.com/cve-2019-10910

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/proxy-manager-bridge/CVE-2019-10910.yaml

https://github.com/symfony/symfony

https://www.synology.com/security/advisory/Synology_SA_19_19

https://github.com/symfony/symfony/commit/4c80c3444854ef384df94deb4acbcef4b5e5243b

https://github.com/symfony/symfony/commit/d2fb5893923292a1da7985f0b56960b5bb10737b

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89

EPSS

Base Score:

11.90