Vulnerability CVE-2019-10913

Vulnerability Name:

CVE-2019-10913 (CCN-161246)

Assigned:

2019-04-17

Published:

2019-04-17

Updated:

2020-08-24

Summary:

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation.

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
6.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

CWE-89
CWE-79

Vulnerability Consequences:

Data Manipulation

References:

Source: MITRE
Type: CNA
CVE-2019-10913

Source: XF
Type: UNKNOWN
symfony-cve201910913-weak-security(161246)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec

Source: CCN
Type: Symfony Web site
High Performance PHP Framework for Web Development

Source: CCN
Type: Symfony blog, April 17, 2019
CVE-2019-10913: Reject invalid HTTP method overrides

Source: CONFIRM
Type: Third Party Advisory
https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides

Vulnerable Configuration:

Configuration 1:

cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.7.0 and < 2.7.51)

OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.8.0 and < 2.8.50)

OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 3.4.0 and < 3.4.26)

OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 4.1.0 and < 4.1.12)

OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 4.2.0 and < 4.2.7)

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:com.ubuntu.bionic:def:2019109130000000	V	CVE-2019-10913 on Ubuntu 18.04 LTS (bionic) - medium.	2019-05-16
oval:com.ubuntu.xenial:def:2019109130000000	V	CVE-2019-10913 on Ubuntu 16.04 LTS (xenial) - medium.	2019-05-16
oval:com.ubuntu.disco:def:2019109130000000	V	CVE-2019-10913 on Ubuntu 19.04 (disco) - medium.	2019-05-16
oval:com.ubuntu.cosmic:def:2019109130000000	V	CVE-2019-10913 on Ubuntu 18.10 (cosmic) - medium.	2019-05-16
oval:com.ubuntu.cosmic:def:201910913000	V	CVE-2019-10913 on Ubuntu 18.10 (cosmic) - medium.	2019-04-19
oval:com.ubuntu.bionic:def:201910913000	V	CVE-2019-10913 on Ubuntu 18.04 LTS (bionic) - medium.	2019-04-19
oval:com.ubuntu.xenial:def:201910913000	V	CVE-2019-10913 on Ubuntu 16.04 LTS (xenial) - medium.	2019-04-19

BACK