CVE-2019-10913

{"id": "CVE-2019-10913", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2019-05-16T22:29:00.673", "references": [{"url": "https://github.com/symfony/symfony/commit/944e60f083c3bffbc6a0b5112db127a10a66a8ec", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation."}, {"lang": "es", "value": "En Symfony la versi\u00f3n anterior a 2.7.51, versi\u00f3n 2.8.x anterior a 2.8.50, versi\u00f3n 3.x anterior a 3.4.26, versi\u00f3n 4.x anterior a 4.1.12 y versi\u00f3n 4.2.x anterior a 4.2.7, los m\u00e9todos HTTP se proporcionan como verbos o usando el encabezado de anulaci\u00f3n pueden tratarse como entradas de confianza, pero no est\u00e1n validadas, lo que posiblemente provoque la inyecci\u00f3n de SQL o XSS. Esto est\u00e1 relacionado con Symfony/http-foundation."}], "lastModified": "2020-08-24T17:37:01.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A86884C0-A185-4CCF-AB21-1D1529AEDAED", "versionEndExcluding": "2.7.51", "versionStartIncluding": "2.7.0"}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A4716654-1055-44B3-8E51-5BC0E739E0CB", "versionEndExcluding": "2.8.50", "versionStartIncluding": "2.8.0"}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CF53486E-FAAC-40B3-82CE-4EDCD2C96690", "versionEndExcluding": "3.4.26", "versionStartIncluding": "3.4.0"}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25A92454-6E0B-4BDE-8967-BB3E32125102", "versionEndExcluding": "4.1.12", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53E58B92-6D5D-4949-B75F-687F52961FDA", "versionEndExcluding": "4.2.7", "versionStartIncluding": "4.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}