DATABASE RESOURCES PRICING ABOUT US

{"id": "FEDORA:C242E64815EF", "vendorId": null, "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 27 Update: php-symfony4-4.0.14-1.fc27", "description": "Symfony PHP framework (version 4). NOTE: Does not require PHPUnit bridge. ", "published": "2018-08-14T20:21:51", "modified": "2018-08-14T20:21:51", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 2.7}, "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/C6UOUQE6POHW24KKQSB372IGD7OLBN63/", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "immutableFields": [], "lastseen": "2021-07-28T14:46:50", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-14773", "CVE-2018-14774"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1707-1:A69DA", "DEBIAN:DSA-4441-1:4957F", "DEBIAN:DSA-4441-1:6ED3B"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-14773", "DEBIANCVE:CVE-2018-14774"]}, {"type": "drupal", "idList": ["DRUPAL-SA-CORE-2018-005", "SA-CORE-2018-005"]}, {"type": "fedora", "idList": ["FEDORA:11742604AF76", "FEDORA:2C60F6317793", "FEDORA:308796481BA8", "FEDORA:403AF64802F4", "FEDORA:5FC0A63192A0", "FEDORA:6C3A3604A067", "FEDORA:843FD6048FD9", "FEDORA:9A2646048FF2", "FEDORA:B21066048FEE", "FEDORA:E1D4B6318FD0", "FEDORA:E962C6480ABF", "FEDORA:EEC816317E9C"]}, {"type": "ibm", "idList": ["04B37F2D160D9D367D67DA8476D560DAFCDF7FF4A1B6F6726D3E08215C1BBDB7"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-1707.NASL", "DEBIAN_DSA-4441.NASL", "DRUPAL_8_5_6.NASL", "FEDORA_2018-4DEAE442F2.NASL", "FEDORA_2018-6F3CEEB7CB.NASL", "FEDORA_2018-732F45D43E.NASL", "FEDORA_2018-7F43CBDB69.NASL", "FEDORA_2018-9B54497B6E.NASL", "FEDORA_2018-9C38D1DC1D.NASL", "WEB_APPLICATION_SCANNING_98580", "WEB_APPLICATION_SCANNING_98581"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112350", "OPENVAS:1361412562310704441", "OPENVAS:1361412562310813738", "OPENVAS:1361412562310813739", "OPENVAS:1361412562310874927", "OPENVAS:1361412562310874933", "OPENVAS:1361412562310874938", "OPENVAS:1361412562310874940", "OPENVAS:1361412562310874943", "OPENVAS:1361412562310874944", "OPENVAS:1361412562310874948", "OPENVAS:1361412562310874951", "OPENVAS:1361412562310875360", "OPENVAS:1361412562310875361", "OPENVAS:1361412562310875365", "OPENVAS:1361412562310875574", "OPENVAS:1361412562310875576", "OPENVAS:1361412562310891707"]}, {"type": "thn", "idList": ["THN:00596204EB45676B8CC125A102706CFC"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-14773", "UB:CVE-2018-14774"]}], "rev": 4}, "score": {"value": 5.5, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2018-14773", "CVE-2018-14774"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1707-1:A69DA"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-14773", "DEBIANCVE:CVE-2018-14774"]}, {"type": "fedora", "idList": ["FEDORA:2C60F6317793", "FEDORA:308796481BA8", "FEDORA:403AF64802F4", "FEDORA:5FC0A63192A0", "FEDORA:843FD6048FD9", "FEDORA:9A2646048FF2", "FEDORA:B21066048FEE", "FEDORA:E1D4B6318FD0", "FEDORA:E962C6480ABF", "FEDORA:EEC816317E9C"]}, {"type": "ibm", "idList": ["04B37F2D160D9D367D67DA8476D560DAFCDF7FF4A1B6F6726D3E08215C1BBDB7"]}, {"type": "nessus", "idList": ["FEDORA_2018-4DEAE442F2.NASL", "FEDORA_2018-6F3CEEB7CB.NASL", "FEDORA_2018-7F43CBDB69.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310112350", "OPENVAS:1361412562310891707"]}, {"type": "thn", "idList": ["THN:00596204EB45676B8CC125A102706CFC"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-14773", "UB:CVE-2018-14774"]}]}, "exploitation": null, "vulnersScore": 5.5}, "_state": {"dependencies": 0, "score": 0}, "_internal": {}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "27", "arch": "any", "packageVersion": "4.0.14", "packageFilename": "UNKNOWN", "operator": "lt", "packageName": "php-symfony4"}]}

{"openvas": [{"lastseen": "2019-05-29T18:33:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony3 FEDORA-2018-9c38d1dc1d", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874938", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874938", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_9c38d1dc1d_php-symfony3_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-symfony3 FEDORA-2018-9c38d1dc1d\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874938\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:36:01 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-symfony3 FEDORA-2018-9c38d1dc1d\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony3'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-symfony3 on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-9c38d1dc1d\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UEXOLS5O7DVCCNWZY5TXF4UW5O2KP2HK\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony3\", rpm:\"php-symfony3~3.4.14~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:08", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony4 FEDORA-2018-732f45d43e", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874940", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874940", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_732f45d43e_php-symfony4_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-symfony4 FEDORA-2018-732f45d43e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874940\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:36:08 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-symfony4 FEDORA-2018-732f45d43e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-symfony4 on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-732f45d43e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQM36TIXT3OCRJQVSXONXFQ4SBIQDYCQ\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony4\", rpm:\"php-symfony4~4.0.14~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-06-10T12:44:37", "description": "This host runs Symfony and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2018-08-06T00:00:00", "type": "openvas", "title": "Sensiolabs Symfony <= 2.7.48, 2.8.* <= 2.8.43, 3.* <= 3.3.17, 3.4.* <= 3.4.13, 4.0.* <= 4.0.13 and 4.1.* <= 4.1.2 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-06-07T00:00:00", "id": "OPENVAS:1361412562310112350", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310112350", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Sensiolabs Symfony <= 2.7.48, 2.8.* <= 2.8.43, 3.* <= 3.3.17, 3.4.* <= 3.4.13, 4.0.* <= 4.0.13 and 4.1.* <= 4.1.2 Multiple Vulnerabilities\n#\n# Authors:\n# Adrian Steins <adrian.steins@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif( description )\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.112350\");\n script_version(\"2019-06-07T10:18:19+0000\");\n script_tag(name:\"last_modification\", value:\"2019-06-07 10:18:19 +0000 (Fri, 07 Jun 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-06 14:47:22 +0200 (Mon, 06 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n\n script_name(\"Sensiolabs Symfony <= 2.7.48, 2.8.* <= 2.8.43, 3.* <= 3.3.17, 3.4.* <= 3.4.13, 4.0.* <= 4.0.13 and 4.1.* <= 4.1.2 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_symfony_consolidation.nasl\");\n script_mandatory_keys(\"symfony/detected\");\n\n script_tag(name:\"summary\", value:\"This host runs Symfony and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL\n or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one\n which can bypass restrictions on higher level caches and web servers. (CVE-2018-14773)\n\n - When using HttpCache, the values of the X-Forwarded-Host headers are implicitly and wrongly set as trusted,\n leading to potential host header injection. (CVE-2018-14774)\");\n\n script_tag(name:\"affected\", value:\"Symfony versions 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13, and 4.1.0 to 4.1.2.\");\n\n script_tag(name:\"solution\", value:\"The issue has been fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.\n\n NOTE: No fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.\n It is recommended to upgrade to a supported version.\");\n\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:sensiolabs:symfony\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) ) exit( 0 );\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE) ) exit( 0 );\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_in_range( version: version, test_version: \"2.7.0\", test_version2: \"2.7.48\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.7.49\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"2.8.0\", test_version2: \"2.8.43\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"2.8.44\", install_path: location);\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.0.0\", test_version2: \"3.3.17\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.3.18\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"3.4.0\", test_version2: \"3.4.13\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"3.4.14\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"4.0.0\", test_version2: \"4.0.13\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"4.0.14\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"4.1.0\", test_version2: \"4.1.2\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"4.1.3\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:08", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony FEDORA-2018-9b54497b6e", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874948", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874948", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_9b54497b6e_php-symfony_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-symfony FEDORA-2018-9b54497b6e\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874948\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:36:35 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-symfony FEDORA-2018-9b54497b6e\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-symfony on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-9b54497b6e\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZPFF4KO3R64TMPM7RYEJKJLYYJMW4KRB\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony\", rpm:\"php-symfony~2.8.44~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:14", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-29T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony FEDORA-2019-3ee6a7adf2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-04-30T00:00:00", "id": "OPENVAS:1361412562310875576", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875576", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875576\");\n script_version(\"2019-04-30T06:40:08+0000\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-04-30 06:40:08 +0000 (Tue, 30 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-29 02:12:17 +0000 (Mon, 29 Apr 2019)\");\n script_name(\"Fedora Update for php-symfony FEDORA-2019-3ee6a7adf2\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-3ee6a7adf2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony'\n package(s) announced via the FEDORA-2019-3ee6a7adf2 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"PHP framework for web projects\");\n\n script_tag(name:\"affected\", value:\"'php-symfony' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php-symfony\", rpm:\"php-symfony~2.8.51~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:16", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-29T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony3 FEDORA-2019-2a7f472198", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-04-30T00:00:00", "id": "OPENVAS:1361412562310875574", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875574", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875574\");\n script_version(\"2019-04-30T06:40:08+0000\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-04-30 06:40:08 +0000 (Tue, 30 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-29 02:12:14 +0000 (Mon, 29 Apr 2019)\");\n script_name(\"Fedora Update for php-symfony3 FEDORA-2019-2a7f472198\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2a7f472198\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony3'\n package(s) announced via the FEDORA-2019-2a7f472198 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Symfony PHP framework (version 3).\n\nNOTE: Does not require PHPUnit bridge.\");\n\n script_tag(name:\"affected\", value:\"'php-symfony3' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"php-symfony3\", rpm:\"php-symfony3~3.4.26~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony FEDORA-2018-4deae442f2", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874943", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874943", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_4deae442f2_php-symfony_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-symfony FEDORA-2018-4deae442f2\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874943\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:36:20 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-symfony FEDORA-2018-4deae442f2\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-symfony on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-4deae442f2\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EUC2RDMQGNBPXK3GCUZUKLHKSBBOVRD3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony\", rpm:\"php-symfony~2.8.44~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:02", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-zendframework-zend-diactoros FEDORA-2018-dbb0d41078", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874944", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874944", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_dbb0d41078_php-zendframework-zend-diactoros_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-zendframework-zend-diactoros FEDORA-2018-dbb0d41078\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874944\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:36:25 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-zendframework-zend-diactoros FEDORA-2018-dbb0d41078\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-zendframework-zend-diactoros'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-zendframework-zend-diactoros on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-dbb0d41078\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2Q5NN4YKQFE3WLFLIS7AJTOJ6E5FNTRH\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-zendframework-zend-diactoros\", rpm:\"php-zendframework-zend-diactoros~1.8.4~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-zendframework-zend-diactoros FEDORA-2018-4a606489ae", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14774", "CVE-2018-14773"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874933", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874933", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_4a606489ae_php-zendframework-zend-diactoros_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-zendframework-zend-diactoros FEDORA-2018-4a606489ae\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874933\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:35:45 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-zendframework-zend-diactoros FEDORA-2018-4a606489ae\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-zendframework-zend-diactoros'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-zendframework-zend-diactoros on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-4a606489ae\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6ZNPJW3QSANZXQXZVH7QHB35CTVFEBWA\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-zendframework-zend-diactoros\", rpm:\"php-zendframework-zend-diactoros~1.8.4~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:11", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-12-18T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony FEDORA-2018-8c06b6defd", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-19790", "CVE-2018-14774", "CVE-2018-14773", "CVE-2018-19789"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310875361", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875361", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id$\n#\n# Fedora Update for php-symfony FEDORA-2018-8c06b6defd\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875361\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\", \"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 08:05:47 +0100 (Tue, 18 Dec 2018)\");\n script_name(\"Fedora Update for php-symfony FEDORA-2018-8c06b6defd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-8c06b6defd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony'\n package(s) announced via the FEDORA-2018-8c06b6defd advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"php-symfony on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony\", rpm:\"php-symfony~2.8.49~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:32:55", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-12-18T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony4 FEDORA-2018-6edf04d9d6", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-19790", "CVE-2018-14774", "CVE-2018-14773", "CVE-2018-19789"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310875365", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875365", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id$\n#\n# Fedora Update for php-symfony4 FEDORA-2018-6edf04d9d6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875365\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\", \"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 08:06:11 +0100 (Tue, 18 Dec 2018)\");\n script_name(\"Fedora Update for php-symfony4 FEDORA-2018-6edf04d9d6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-6edf04d9d6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony4'\n package(s) announced via the FEDORA-2018-6edf04d9d6 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"php-symfony4 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony4\", rpm:\"php-symfony4~4.0.15~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:09", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-12-18T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony3 FEDORA-2018-66547a8c14", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-19790", "CVE-2018-14774", "CVE-2018-14773", "CVE-2018-19789"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310875360", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875360", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id$\n#\n# Fedora Update for php-symfony3 FEDORA-2018-66547a8c14\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875360\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2018-19790\", \"CVE-2018-19789\", \"CVE-2018-14773\", \"CVE-2018-14774\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-12-18 08:05:36 +0100 (Tue, 18 Dec 2018)\");\n script_name(\"Fedora Update for php-symfony3 FEDORA-2018-66547a8c14\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-66547a8c14\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony3'\n package(s) announced via the FEDORA-2018-66547a8c14 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"php-symfony3 on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony3\", rpm:\"php-symfony3~3.4.20~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:05", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony4 FEDORA-2018-7f43cbdb69", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874927", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874927", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7f43cbdb69_php-symfony4_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-symfony4 FEDORA-2018-7f43cbdb69\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874927\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:35:06 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-symfony4 FEDORA-2018-7f43cbdb69\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony4'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-symfony4 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7f43cbdb69\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C6UOUQE6POHW24KKQSB372IGD7OLBN63\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony4\", rpm:\"php-symfony4~4.0.14~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-07-17T14:04:05", "description": "This host is running Drupal and is prone\n to multiple security vulnerabilities.", "cvss3": {}, "published": "2018-08-03T00:00:00", "type": "openvas", "title": "Drupal Core Multiple Security Vulnerabilities (SA-CORE-2018-005) Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773"], "modified": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310813738", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813738", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Drupal Core Multiple Security Vulnerabilities (SA-CORE-2018-005) Windows\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813738\");\n script_version(\"2019-07-05T09:54:18+0000\");\n script_cve_id(\"CVE-2018-14773\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:54:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-03 11:33:16 +0530 (Fri, 03 Aug 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"Drupal Core Multiple Security Vulnerabilities (SA-CORE-2018-005) Windows\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to multiple security vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to multiple errors\n in 3rd party libraries 'Symfony', 'zend-diactoros' and 'zend-feed' which are\n used in drupal. In each case, vulnerability let users override the path in the\n request URL via the X-Original-URL or X-Rewrite-URL HTTP request header which\n can allow a user to access one URL but have application return a different one.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to bypass security restrictions and emulate the headers to request\n arbitrary content.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 8.x before 8.5.6 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.5.6 or\n later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/SA-CORE-2018-005\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\");\n script_xref(name:\"URL\", value:\"https://framework.zend.com/security/advisory/ZF2018-01\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_windows\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^[0-9]\\.[0-9]+\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:drupalVer, test_version:\"8.0\", test_version2:\"8.5.5\")) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:\"8.5.6\", install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-07-17T14:04:05", "description": "This host is running Drupal and is prone\n to multiple security vulnerabilities.", "cvss3": {}, "published": "2018-08-03T00:00:00", "type": "openvas", "title": "Drupal Core Multiple Security Vulnerabilities (SA-CORE-2018-005) (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773"], "modified": "2019-07-05T00:00:00", "id": "OPENVAS:1361412562310813739", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813739", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Drupal Core Multiple Security Vulnerabilities (SA-CORE-2018-005) (Linux)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/a:drupal:drupal';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813739\");\n script_version(\"2019-07-05T09:54:18+0000\");\n script_cve_id(\"CVE-2018-14773\");\n script_tag(name:\"cvss_base\", value:\"4.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 09:54:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-03 12:05:43 +0530 (Fri, 03 Aug 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Drupal Core Multiple Security Vulnerabilities (SA-CORE-2018-005) (Linux)\");\n\n script_tag(name:\"summary\", value:\"This host is running Drupal and is prone\n to multiple security vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to multiple errors\n in 3rd party libraries 'Symfony', 'zend-diactoros' and 'zend-feed' which are\n used in drupal. In each case, vulnerability let users override the path in the\n request URL via the X-Original-URL or X-Rewrite-URL HTTP request header which\n can allow a user to access one URL but have application return a different one.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to bypass security restrictions and emulate the headers to request\n arbitrary content.\");\n\n script_tag(name:\"affected\", value:\"Drupal core versions 8.x before 8.5.6 on Linux.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Drupal core version 8.5.6 or\n later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.drupal.org/SA-CORE-2018-005\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\");\n script_xref(name:\"URL\", value:\"https://framework.zend.com/security/advisory/ZF2018-01\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"drupal_detect.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"drupal/installed\", \"Host/runs_unixoide\");\n script_require_ports(\"Services/www\", 80);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!drupalPort = get_app_port(cpe:CPE)) {\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:drupalPort, version_regex:\"^[0-9]\\.[0-9]+\", exit_no_version:TRUE)) {\n exit(0);\n}\n\ndrupalVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:drupalVer, test_version:\"8.0\", test_version2:\"8.5.5\")) {\n report = report_fixed_ver(installed_version:drupalVer, fixed_version:\"8.5.6\", install_path:path);\n security_message(data:report, port:drupalPort);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:33:08", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-15T00:00:00", "type": "openvas", "title": "Fedora Update for php-symfony3 FEDORA-2018-6f3ceeb7cb", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11406", "CVE-2018-11407", "CVE-2018-14774", "CVE-2018-14773", "CVE-2018-11386", "CVE-2018-11385", "CVE-2018-11408"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310874951", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874951", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_6f3ceeb7cb_php-symfony3_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for php-symfony3 FEDORA-2018-6f3ceeb7cb\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874951\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-15 06:37:18 +0200 (Wed, 15 Aug 2018)\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-14774\", \"CVE-2018-11407\", \"CVE-2018-11408\",\n \"CVE-2018-11406\", \"CVE-2018-11385\", \"CVE-2018-11386\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for php-symfony3 FEDORA-2018-6f3ceeb7cb\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'php-symfony3'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"php-symfony3 on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-6f3ceeb7cb\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AYJO6FI4ZZDXA5WEHNAPHKC55OMNF5Z3\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"php-symfony3\", rpm:\"php-symfony3~3.3.18~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-29T19:27:11", "description": "Several security vulnerabilities have been discovered in symfony, a PHP\nweb application framework. Numerous symfony components are affected:\nSecurity, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe referenced upstream advisories contain further details.", "cvss3": {}, "published": "2019-03-11T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for symfony (DLA-1707-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-16652", "CVE-2018-19790", "CVE-2018-14773", "CVE-2018-11385", "CVE-2017-16654", "CVE-2018-19789", "CVE-2018-11408"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891707", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891707", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891707\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2017-16652\", \"CVE-2017-16654\", \"CVE-2018-11385\", \"CVE-2018-11408\", \"CVE-2018-14773\",\n \"CVE-2018-19789\", \"CVE-2018-19790\");\n script_name(\"Debian LTS: Security Advisory for symfony (DLA-1707-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-03-11 00:00:00 +0100 (Mon, 11 Mar 2019)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path\");\n script_xref(name:\"URL\", value:\"https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"symfony on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\");\n\n script_tag(name:\"summary\", value:\"Several security vulnerabilities have been discovered in symfony, a PHP\nweb application framework. Numerous symfony components are affected:\nSecurity, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe referenced upstream advisories contain further details.\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-browser-kit\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-class-loader\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-classloader\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-config\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-console\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-css-selector\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-debug\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dependency-injection\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-doctrine-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dom-crawler\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-event-dispatcher\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-eventdispatcher\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-filesystem\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-finder\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-form\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-framework-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-foundation\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-kernel\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-intl\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-locale\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-monolog-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-options-resolver\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-process\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-propel1-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-property-access\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-proxy-manager-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-routing\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-serializer\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-stopwatch\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-swiftmailer-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-templating\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-translation\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bridge\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-validator\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-web-profiler-bundle\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-yaml\", ver:\"2.3.21+dfsg-4+deb8u4\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:27", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-05-11T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4441-1 (symfony - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-10911", "CVE-2018-19790", "CVE-2019-10913", "CVE-2018-14773", "CVE-2019-10910", "CVE-2018-19789", "CVE-2019-10909", "CVE-2019-10912"], "modified": "2019-05-27T00:00:00", "id": "OPENVAS:1361412562310704441", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704441", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704441\");\n script_version(\"2019-05-27T07:36:21+0000\");\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-19789\", \"CVE-2018-19790\", \"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-10912\", \"CVE-2019-10913\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-27 07:36:21 +0000 (Mon, 27 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-11 02:00:17 +0000 (Sat, 11 May 2019)\");\n script_name(\"Debian Security Advisory DSA 4441-1 (symfony - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4441.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4441-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'symfony'\n package(s) announced via the DSA-4441-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\");\n\n script_tag(name:\"affected\", value:\"'symfony' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 2.8.7+dfsg-1.3+deb9u2.\n\nWe recommend that you upgrade your symfony packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-asset\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-browser-kit\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-class-loader\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-config\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-console\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-css-selector\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-debug\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-debug-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dependency-injection\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-doctrine-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-dom-crawler\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-event-dispatcher\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-expression-language\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-filesystem\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-finder\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-form\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-framework-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-foundation\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-http-kernel\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-intl\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-ldap\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-locale\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-monolog-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-options-resolver\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-phpunit-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-process\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-property-access\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-property-info\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-proxy-manager-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-routing\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-core\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-csrf\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-guard\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-security-http\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-serializer\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-stopwatch\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-swiftmailer-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-templating\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-translation\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bridge\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-twig-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-validator\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-var-dumper\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-web-profiler-bundle\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"php-symfony-yaml\", ver:\"2.8.7+dfsg-1.3+deb9u2\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2022-03-27T15:50:02", "description": "## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener compatible with CookieClearingLogoutHandler (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option maxIdLength with versioning enabled (Constantine Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig WebLinkExtension if the WebLink component is enabled (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless firewall UsernamePasswordJsonAuthenticationListener (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a collection that contains the only one element (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch HttpExceptions when templating is not installed (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to denormalize null values on nullable properties (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-08-15T00:00:00", "type": "nessus", "title": "Fedora 27 : php-symfony4 (2018-7f43cbdb69)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony4", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2018-7F43CBDB69.NASL", "href": "https://www.tenable.com/plugins/nessus/111712", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-7f43cbdb69.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111712);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-7f43cbdb69\");\n\n script_name(english:\"Fedora 27 : php-symfony4 (2018-7f43cbdb69)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for\n transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for\n controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for\n TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory\n footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's\n default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with\n .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument\n (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for\n BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized\n references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators\n in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback\n loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in\n LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on\n binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable\n types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener\n compatible with CookieClearingLogoutHandler\n (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option\n maxIdLength with versioning enabled (Constantine\n Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private\n services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter\n (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session\n proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod\n (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig\n WebLinkExtension if the WebLink component is enabled\n (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if\n 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an\n exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on\n Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error\n instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar\n archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a\n DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request\n (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in\n surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf\n files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for\n interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private\n services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and\n ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication\n + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based\n pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless\n firewall UsernamePasswordJsonAuthenticationListener\n (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls\n (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes\n (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a\n collection that contains the only one element\n (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS\n (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached\n connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to\n FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch\n HttpExceptions when templating is not installed\n (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add\n duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to\n denormalize null values on nullable properties\n (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of\n AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links\n (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as\n REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes\n first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when\n token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on\n reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of\n enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs\n (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-7f43cbdb69\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"php-symfony4-4.0.14-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony4\");\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:15:37", "description": "## 3.4.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (nicolas-grekas)\n\n## 3.4.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn)\n\n - bug #27834 [DI] Don't show internal service id on binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener compatible with CookieClearingLogoutHandler (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option maxIdLength with versioning enabled (Constantine Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-03T00:00:00", "type": "nessus", "title": "Fedora 28 : php-symfony3 (2018-9c38d1dc1d)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony3", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-9C38D1DC1D.NASL", "href": "https://www.tenable.com/plugins/nessus/120653", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-9c38d1dc1d.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120653);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-9c38d1dc1d\");\n\n script_name(english:\"Fedora 28 : php-symfony3 (2018-9c38d1dc1d)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 3.4.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for\n transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for\n controllers' locators (nicolas-grekas)\n\n## 3.4.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for\n TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory\n footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's\n default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with\n .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument\n (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for\n BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized\n references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators\n in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback\n loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27834 [DI] Don't show internal service id on\n binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable\n types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener\n compatible with CookieClearingLogoutHandler\n (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option\n maxIdLength with versioning enabled (Constantine\n Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private\n services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter\n (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session\n proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod\n (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-9c38d1dc1d\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"php-symfony3-3.4.14-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony3\");\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:49:16", "description": "## 2.8.44 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (netiul)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor)\n\n## 2.8.43 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule (kylekatarnls)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (webnet-fr)\n\n - bug #27904 [Filesystem] fix lock file permissions (fritzmg)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn)\n\n - bug #27831 Check for Hyper terminal on all operating systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-08-15T00:00:00", "type": "nessus", "title": "Fedora 27 : php-symfony (2018-4deae442f2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2018-4DEAE442F2.NASL", "href": "https://www.tenable.com/plugins/nessus/111710", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-4deae442f2.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111710);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-4deae442f2\");\n\n script_name(english:\"Fedora 27 : php-symfony (2018-4deae442f2)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 2.8.44 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n## 2.8.43 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-4deae442f2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"php-symfony-2.8.44-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony\");\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:13:56", "description": "## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener compatible with CookieClearingLogoutHandler (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option maxIdLength with versioning enabled (Constantine Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig WebLinkExtension if the WebLink component is enabled (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless firewall UsernamePasswordJsonAuthenticationListener (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a collection that contains the only one element (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch HttpExceptions when templating is not installed (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to denormalize null values on nullable properties (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-03T00:00:00", "type": "nessus", "title": "Fedora 28 : php-symfony4 (2018-732f45d43e)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony4", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-732F45D43E.NASL", "href": "https://www.tenable.com/plugins/nessus/120528", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-732f45d43e.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120528);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-732f45d43e\");\n\n script_name(english:\"Fedora 28 : php-symfony4 (2018-732f45d43e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 4.0.14 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28007 [FrameworkBundle] fixed guard event names for\n transitions (destillat)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n - bug #28052 [HttpKernel] Fix merging bindings for\n controllers' locators (nicolas-grekas)\n\n## 4.0.13 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #26193 Fix false-positive deprecation notices for\n TranslationLoader and WriteCheckSessionHandler (iquito)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27923 [Form/Profiler] Massively reducing memory\n footprint of form profiling pages... (VincentChalnot)\n\n - bug #27918 [Console] correctly return parameter's\n default value on '--' (seschwar)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27903 [Lock] fix lock file permissions (fritzmg)\n\n - bug #27889 [Form] Replace .initialism with\n .text-uppercase. (vudaltsov)\n\n - bug #27902 Fix the detection of the Process new argument\n (stof)\n\n - bug #27885 [HttpFoundation] don't encode cookie name for\n BC (nicolas-grekas)\n\n - bug #27782 [DI] Fix dumping ignore-on-uninitialized\n references to synthetic services (nicolas-grekas)\n\n - bug #27435 [OptionResolver] resolve arrays (Doctrs)\n\n - bug #27728 [TwigBridge] Fix missing path and separators\n in loader paths list on debug:twig output (yceruto)\n\n - bug #27837 [PropertyInfo] Fix dock block lookup fallback\n loop (DerManoMann)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27847 [Security] Fix accepting null as $uidKey in\n LdapUserProvider (louhde)\n\n - bug #27834 [DI] Don't show internal service id on\n binding errors (nicolas-grekas)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27618 [PropertyInfo] added handling of nullable\n types in PhpDoc (oxan)\n\n - bug #27659 [HttpKernel] Make AbstractTestSessionListener\n compatible with CookieClearingLogoutHandler\n (thewilkybarkid)\n\n - bug #27752 [Cache] provider does not respect option\n maxIdLength with versioning enabled (Constantine\n Shtompel)\n\n - bug #27776 [ProxyManagerBridge] Fix support of private\n services (bis) (nicolas-grekas)\n\n - bug #27714 [HttpFoundation] fix session tracking counter\n (nicolas-grekas, dmaicher)\n\n - bug #27747 [HttpFoundation] fix registration of session\n proxies (nicolas-grekas)\n\n - bug #27722 Redesign the Debug error page in prod\n (javiereguiluz)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\n## 4.0.12 (2018-06-25)\n\n - bug #27626 [TwigBundle][DX] Only add the Twig\n WebLinkExtension if the WebLink component is enabled\n (thewilkybarkid)\n\n - bug #27701 [SecurityBundle] Dont throw if\n 'security.http_utils' is not found (nicolas-grekas)\n\n - bug #27690 [DI] Resolve env placeholder in logs (ro0NL)\n\n - bug #26534 allow_extra_attributes does not throw an\n exception as documented (deviantintegral)\n\n - bug #27668 [Lock] use 'r+' for fopen (fixes issue on\n Solaris) (fritzmg)\n\n - bug #27669 [Filesystem] fix file lock on SunOS (fritzmg)\n\n - bug #27662 [HttpKernel] fix handling of nested Error\n instances (xabbuh)\n\n - bug #26845 [Config] Fixing GlobResource when inside phar\n archive (vworldat)\n\n - bug #27382 [Form] Fix error when rendering a\n DateIntervalType form with exactly 0 weeks (krixon)\n\n - bug #27309 Fix surrogate not using original request\n (Toflar)\n\n - bug #27467 [HttpKernel] fix session tracking in\n surrogate master requests (nicolas-grekas)\n\n - bug #27630 [Validator][Form] Remove BOM in some xlf\n files (gautierderuette)\n\n - bug #27596 [Framework][Workflow] Added support for\n interfaces (vudaltsov)\n\n - bug #27593 [ProxyManagerBridge] Fixed support of private\n services (nicolas-grekas)\n\n - bug #27591 [VarDumper] Fix dumping ArrayObject and\n ArrayIterator instances (nicolas-grekas)\n\n - bug #27581 Fix bad method call with guard authentication\n + session migration (weaverryan)\n\n - bug #27576 [Cache] Fix expiry comparisons in array-based\n pools (nicolas-grekas)\n\n - bug #27556 Avoiding session migration for stateless\n firewall UsernamePasswordJsonAuthenticationListener\n (weaverryan)\n\n - bug #27452 Avoid migration on stateless firewalls\n (weaverryan)\n\n - bug #27568 [DI] Deduplicate generated proxy classes\n (nicolas-grekas)\n\n - bug #27326 [Serializer] deserialize from xml: Fix a\n collection that contains the only one element\n (webnet-fr)\n\n - bug #27567 [PhpUnitBridge] Fix error on some Windows OS\n (Nsbx)\n\n - bug #27357 [Lock] Remove released semaphore (jderusse)\n\n - bug #27416 TagAwareAdapter over non-binary memcached\n connections corrupts memcache (Aleksey Prilipko)\n\n - bug #27514 [Debug] Pass previous exception to\n FatalErrorException (pmontoya)\n\n - bug #27516 Revert 'bug #26138 [HttpKernel] Catch\n HttpExceptions when templating is not installed\n (cilefen)' (nicolas-grekas)\n\n - bug #27318 [Cache] memcache connect should not add\n duplicate entries on sequential calls (Aleksey Prilipko)\n\n - bug #27389 [Serializer] Fix serializer tries to\n denormalize null values on nullable properties\n (ogizanagi)\n\n - bug #27272 [FrameworkBundle] Change priority of\n AddConsoleCommandPass to TYPE_BEFORE_REMOVING (upyx)\n\n - bug #27396 [HttpKernel] fix registering IDE links\n (nicolas-grekas)\n\n - bug #26973 [HttpKernel] Set first trusted proxy as\n REMOTE_ADDR in InlineFragmentRenderer. (kmadejski)\n\n - bug #27303 [Process] Consider 'executable' suffixes\n first on Windows (sanmai)\n\n - bug #27297 Triggering RememberMe's loginFail() when\n token cannot be created (weaverryan)\n\n - bug #27344 [HttpKernel] reset kernel start time on\n reboot (kiler129)\n\n - bug #27365 [Serializer] Check the value of\n enable_max_depth if defined (dunglas)\n\n - bug #27358 [PhpUnitBridge] silence some stderr outputs\n (ostrolucky)\n\n - bug #27366 [DI] never inline lazy services\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-732f45d43e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony4 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"php-symfony4-4.0.14-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony4\");\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:50:06", "description": "## 3.3.18 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-08-15T00:00:00", "type": "nessus", "title": "Fedora 27 : php-symfony3 (2018-6f3ceeb7cb)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony3", "cpe:/o:fedoraproject:fedora:27"], "id": "FEDORA_2018-6F3CEEB7CB.NASL", "href": "https://www.tenable.com/plugins/nessus/111711", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-6f3ceeb7cb.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111711);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-6f3ceeb7cb\");\n\n script_name(english:\"Fedora 27 : php-symfony3 (2018-6f3ceeb7cb)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 3.3.18 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-6f3ceeb7cb\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:27\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^27([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 27\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC27\", reference:\"php-symfony3-3.3.18-1.fc27\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony3\");\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:14:00", "description": "## 2.8.44 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted headers management in HttpCache and InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in inline subrequest when configuring trusted proxy with subnet (netiul)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method parameter with invalid type (Phobetor)\n\n## 2.8.43 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule (kylekatarnls)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on StreamedResponse when setNotModified() is called (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in 'get' and 'has' methods of NamespacedAttributeBag (webnet-fr)\n\n - bug #27904 [Filesystem] fix lock file permissions (fritzmg)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links color override by css (alcalyn)\n\n - bug #27831 Check for Hyper terminal on all operating systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for status 425 (dunglas)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2019-01-03T00:00:00", "type": "nessus", "title": "Fedora 28 : php-symfony (2018-9b54497b6e)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:php-symfony", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-9B54497B6E.NASL", "href": "https://www.tenable.com/plugins/nessus/120651", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-9b54497b6e.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120651);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-14773\");\n script_xref(name:\"FEDORA\", value:\"2018-9b54497b6e\");\n\n script_name(english:\"Fedora 28 : php-symfony (2018-9b54497b6e)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"## 2.8.44 (2018-08-01)\n\n - security #cve-2018-14774 [HttpKernel] fix trusted\n headers management in HttpCache and\n InlineFragmentRenderer (nicolas-grekas)\n\n - security #cve-2018-14773 [HttpFoundation] Remove support\n for legacy and risky HTTP headers (nicolas-grekas)\n\n - bug #28003 [HttpKernel] Fixes invalid REMOTE_ADDR in\n inline subrequest when configuring trusted proxy with\n subnet (netiul)\n\n - bug #28045 [HttpFoundation] Fix Cookie::isCleared\n (ro0NL)\n\n - bug #28080 [HttpFoundation] fixed using _method\n parameter with invalid type (Phobetor)\n\n## 2.8.43 (2018-07-23)\n\n - bug #28005 [HttpKernel] Fixed templateExists on parse\n error of the template name (yceruto)\n\n - bug #27997 Serbo-Croatian has Serbian plural rule\n (kylekatarnls)\n\n - bug #27941 [WebProfilerBundle] Fixed icon alignment\n issue using Bootstrap 4.1.2 (jmsche)\n\n - bug #27937 [HttpFoundation] reset callback on\n StreamedResponse when setNotModified() is called\n (rubencm)\n\n - bug #27927 [HttpFoundation] Suppress side effects in\n 'get' and 'has' methods of NamespacedAttributeBag\n (webnet-fr)\n\n - bug #27904 [Filesystem] fix lock file permissions\n (fritzmg)\n\n - bug #27758 [WebProfilerBundle] Prevent toolbar links\n color override by css (alcalyn)\n\n - bug #27831 Check for Hyper terminal on all operating\n systems. (azjezz)\n\n - bug #27794 Add color support for Hyper terminal .\n (azjezz)\n\n - bug #27809 [HttpFoundation] Fix tests: new message for\n status 425 (dunglas)\n\n - bug #27716 [DI] fix dumping deprecated service in yaml\n (nicolas-grekas)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-9b54497b6e\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected php-symfony package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:php-symfony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"php-symfony-2.8.44-1.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"php-symfony\");\n}\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-04-12T16:57:17", "description": "According to its self-reported version, the instance of Drupal running on the remote web server is 8.x prior to 8.5.6. It is, therefore, affected by a restriction bypass vulnerability in the embedded Symfony library.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-08-09T00:00:00", "type": "nessus", "title": "Drupal 8.x < 8.5.6 Symfony Risky HTTP Header Restriction Bypass Vulnerability (SA-CORE-2018-005)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:drupal:drupal"], "id": "DRUPAL_8_5_6.NASL", "href": "https://www.tenable.com/plugins/nessus/111599", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111599);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-14773\");\n\n script_name(english:\"Drupal 8.x < 8.5.6 Symfony Risky HTTP Header Restriction Bypass Vulnerability (SA-CORE-2018-005)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A PHP application running on the remote web server is affected by a\nrestriction bypass vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the instance of Drupal running\non the remote web server is 8.x prior to 8.5.6. It is, therefore,\naffected by a restriction bypass vulnerability in the embedded\nSymfony library.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/SA-CORE-2018-005\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.drupal.org/project/drupal/releases/8.5.6\");\n # https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?391e80f4\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Drupal version 8.5.6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-14773\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/09\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:drupal:drupal\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"drupal_detect.nasl\");\n script_require_keys(\"installed_sw/Drupal\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80, 443);\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:80, php:TRUE);\n\napp_info = vcf::get_app_info(app:\"Drupal\", port:port, webapp:true);\n\nvcf::check_granularity(app_info:app_info, sig_segments:2);\n\nconstraints = [\n { \"min_version\" : \"8.0\", \"fixed_version\" : \"8.5.6\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);\n", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:56:46", "description": "According to its self-reported version number, the detected Drupal application is affected by a vulnerability in Symfony library X-Original-URL and X-Rewrite-URL HTTP headers support.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.6.x < 8.6.0-beta2 Symfony Legacy HTTP Headers Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98580", "href": "https://www.tenable.com/plugins/was/98580", "sourceData": "No source data", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-03-27T15:56:25", "description": "According to its self-reported version number, the detected Drupal application is affected by a vulnerability in Symfony library X-Original-URL and X-Rewrite-URL HTTP headers support.\n\nNote that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {"score": 6.5, "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}, "published": "2018-11-05T00:00:00", "type": "nessus", "title": "Drupal 8.x < 8.5.6 Symfony Legacy HTTP Headers Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773"], "modified": "2021-10-07T00:00:00", "cpe": ["cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*"], "id": "WEB_APPLICATION_SCANNING_98581", "href": "https://www.tenable.com/plugins/was/98581", "sourceData": "No source data", "cvss": {"score": 4, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-08-19T12:27:44", "description": "Several security vulnerabilities have been discovered in symfony, a PHP web application framework. Numerous symfony components are affected: Security, bundle readers, session handling, SecurityBundle, HttpFoundation, Form, and Security\\Http.\n\nThe corresponding upstream advisories contain further details :\n\n[CVE-2017-16652] https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2017-16654] https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-o ut-of-paths\n\n[CVE-2018-11385] https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-gua rd-authentication\n\n[CVE-2018-11408] https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2018-14773] https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and- risky-http-headers\n\n[CVE-2018-19789] https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-f ull-path\n\n[CVE-2018-19790] https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-wh en-using-security-http\n\nFor Debian 8 'Jessie', these problems have been fixed in version 2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-03-11T00:00:00", "type": "nessus", "title": "Debian DLA-1707-1 : symfony security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-16652", "CVE-2017-16654", "CVE-2018-11385", "CVE-2018-11408", "CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:php-symfony-browser-kit", "p-cpe:/a:debian:debian_linux:php-symfony-class-loader", "p-cpe:/a:debian:debian_linux:php-symfony-classloader", "p-cpe:/a:debian:debian_linux:php-symfony-config", "p-cpe:/a:debian:debian_linux:php-symfony-console", "p-cpe:/a:debian:debian_linux:php-symfony-css-selector", "p-cpe:/a:debian:debian_linux:php-symfony-debug", "p-cpe:/a:debian:debian_linux:php-symfony-dependency-injection", "p-cpe:/a:debian:debian_linux:php-symfony-doctrine-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-dom-crawler", "p-cpe:/a:debian:debian_linux:php-symfony-event-dispatcher", "p-cpe:/a:debian:debian_linux:php-symfony-eventdispatcher", "p-cpe:/a:debian:debian_linux:php-symfony-filesystem", "p-cpe:/a:debian:debian_linux:php-symfony-finder", "p-cpe:/a:debian:debian_linux:php-symfony-form", "p-cpe:/a:debian:debian_linux:php-symfony-framework-bundle", "p-cpe:/a:debian:debian_linux:php-symfony-http-foundation", "p-cpe:/a:debian:debian_linux:php-symfony-http-kernel", "p-cpe:/a:debian:debian_linux:php-symfony-intl", "p-cpe:/a:debian:debian_linux:php-symfony-locale", "p-cpe:/a:debian:debian_linux:php-symfony-monolog-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-options-resolver", "p-cpe:/a:debian:debian_linux:php-symfony-process", "p-cpe:/a:debian:debian_linux:php-symfony-propel1-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-property-access", "p-cpe:/a:debian:debian_linux:php-symfony-proxy-manager-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-routing", "p-cpe:/a:debian:debian_linux:php-symfony-security", "p-cpe:/a:debian:debian_linux:php-symfony-security-bundle", "p-cpe:/a:debian:debian_linux:php-symfony-serializer", "p-cpe:/a:debian:debian_linux:php-symfony-stopwatch", "p-cpe:/a:debian:debian_linux:php-symfony-swiftmailer-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-templating", "p-cpe:/a:debian:debian_linux:php-symfony-translation", "p-cpe:/a:debian:debian_linux:php-symfony-twig-bridge", "p-cpe:/a:debian:debian_linux:php-symfony-twig-bundle", "p-cpe:/a:debian:debian_linux:php-symfony-validator", "p-cpe:/a:debian:debian_linux:php-symfony-web-profiler-bundle", "p-cpe:/a:debian:debian_linux:php-symfony-yaml", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1707.NASL", "href": "https://www.tenable.com/plugins/nessus/122721", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1707-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122721);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2017-16652\", \"CVE-2017-16654\", \"CVE-2018-11385\", \"CVE-2018-11408\", \"CVE-2018-14773\", \"CVE-2018-19789\", \"CVE-2018-19790\");\n\n script_name(english:\"Debian DLA-1707-1 : symfony security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several security vulnerabilities have been discovered in symfony, a\nPHP web application framework. Numerous symfony components are\naffected: Security, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe corresponding upstream advisories contain further details :\n\n[CVE-2017-16652]\nhttps://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2017-16654]\nhttps://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-o\nut-of-paths\n\n[CVE-2018-11385]\nhttps://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-gua\nrd-authentication\n\n[CVE-2018-11408]\nhttps://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on\n-security-handlers\n\n[CVE-2018-14773]\nhttps://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-\nrisky-http-headers\n\n[CVE-2018-19789]\nhttps://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-f\null-path\n\n[CVE-2018-19790]\nhttps://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-wh\nen-using-security-http\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/symfony\"\n );\n # https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0f99409b\"\n );\n # https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c7dce206\"\n );\n # https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5a195ddf\"\n );\n # https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?39450434\"\n );\n # https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?391e80f4\"\n );\n # https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df081f61\"\n );\n # https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8a01aecd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-browser-kit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-class-loader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-classloader\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-css-selector\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-dependency-injection\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-doctrine-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-dom-crawler\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-event-dispatcher\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-eventdispatcher\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-filesystem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-finder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-form\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-framework-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-http-foundation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-http-kernel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-intl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-monolog-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-options-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-propel1-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-property-access\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-proxy-manager-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-routing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-security\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-security-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-serializer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-stopwatch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-swiftmailer-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-templating\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-translation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-twig-bridge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-twig-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-validator\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-web-profiler-bundle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:php-symfony-yaml\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-browser-kit\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-class-loader\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-classloader\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-config\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-console\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-css-selector\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-debug\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-dependency-injection\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-doctrine-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-dom-crawler\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-event-dispatcher\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-eventdispatcher\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-filesystem\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-finder\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-form\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-framework-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-http-foundation\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-http-kernel\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-intl\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-locale\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-monolog-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-options-resolver\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-process\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-propel1-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-property-access\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-proxy-manager-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-routing\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-security\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-security-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-serializer\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-stopwatch\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-swiftmailer-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-templating\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-translation\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-twig-bridge\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-twig-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-validator\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-web-profiler-bundle\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"php-symfony-yaml\", reference:\"2.3.21+dfsg-4+deb8u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-28T13:14:49", "description": "Multiple vulnerabilities were discovered in the Symfony PHP framework which could lead to cache bypass, authentication bypass, information disclosure, open redirect, cross-site request forgery, deletion of arbitrary files, or arbitrary code execution.", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-05-13T00:00:00", "type": "nessus", "title": "Debian DSA-4441-1 : symfony - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-10912", "CVE-2019-10913"], "modified": "2020-01-21T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:symfony", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4441.NASL", "href": "https://www.tenable.com/plugins/nessus/124779", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4441. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124779);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2020/01/21\");\n\n script_cve_id(\"CVE-2018-14773\", \"CVE-2018-19789\", \"CVE-2018-19790\", \"CVE-2019-10909\", \"CVE-2019-10910\", \"CVE-2019-10911\", \"CVE-2019-10912\", \"CVE-2019-10913\");\n script_xref(name:\"DSA\", value:\"4441\");\n\n script_name(english:\"Debian DSA-4441-1 : symfony - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/symfony\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/symfony\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4441\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the symfony packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 2.8.7+dfsg-1.3+deb9u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:symfony\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-asset\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-browser-kit\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-class-loader\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-config\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-console\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-css-selector\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-debug\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-debug-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-dependency-injection\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-doctrine-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-dom-crawler\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-event-dispatcher\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-expression-language\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-filesystem\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-finder\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-form\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-framework-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-http-foundation\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-http-kernel\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-intl\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-ldap\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-locale\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-monolog-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-options-resolver\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-phpunit-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-process\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-property-access\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-property-info\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-proxy-manager-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-routing\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-core\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-csrf\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-guard\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-security-http\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-serializer\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-stopwatch\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-swiftmailer-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-templating\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-translation\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-twig-bridge\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-twig-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-validator\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-var-dumper\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-web-profiler-bundle\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"php-symfony-yaml\", reference:\"2.8.7+dfsg-1.3+deb9u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2021-07-28T14:46:50", "description": "PHP framework for web projects ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-08-14T20:21:42", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: php-symfony-2.8.44-1.fc27", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2018-08-14T20:21:42", "id": "FEDORA:403AF64802F4", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EUC2RDMQGNBPXK3GCUZUKLHKSBBOVRD3/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:46:50", "description": "PHP framework for web projects ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-08-14T21:12:56", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony-2.8.44-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2018-08-14T21:12:56", "id": "FEDORA:EEC816317E9C", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZPFF4KO3R64TMPM7RYEJKJLYYJMW4KRB/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:46:50", "description": "Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-08-14T21:13:01", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony3-3.4.14-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2018-08-14T21:13:01", "id": "FEDORA:5FC0A63192A0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UEXOLS5O7DVCCNWZY5TXF4UW5O2KP2HK/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:46:50", "description": "Symfony PHP framework (version 4). NOTE: Does not require PHPUnit bridge. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-08-14T21:13:06", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony4-4.0.14-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774"], "modified": "2018-08-14T21:13:06", "id": "FEDORA:E1D4B6318FD0", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/HQM36TIXT3OCRJQVSXONXFQ4SBIQDYCQ/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T18:41:37", "description": "PHP framework for web projects ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-12-17T02:28:11", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony-2.8.49-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2018-19789", "CVE-2018-19790"], "modified": "2018-12-17T02:28:11", "id": "FEDORA:9A2646048FF2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OA4WVFN5FYPIXAPLWZI6N425JHHDSWAZ/", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-28T18:41:37", "description": "Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-12-17T02:28:10", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony3-3.4.20-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2018-19789", "CVE-2018-19790"], "modified": "2018-12-17T02:28:10", "id": "FEDORA:843FD6048FD9", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4TD3E7FZIXLVFG3SMFJPDEKPZ26TJOW7/", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-07-28T18:41:37", "description": "Symfony PHP framework (version 4). NOTE: Does not require PHPUnit bridge. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-12-17T02:28:12", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony4-4.0.15-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2018-19789", "CVE-2018-19790"], "modified": "2018-12-17T02:28:12", "id": "FEDORA:B21066048FEE", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JZMRJ7VTHCY5AZK24G4QGX36RLUDTDKE/", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-11-27T10:47:49", "description": "Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-27T21:36:40", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony3-3.4.26-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911"], "modified": "2019-04-27T21:36:40", "id": "FEDORA:6C3A3604A067", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LFARAUAWZE4UDSKVDWRD35D75HI5UGSD/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:50", "description": "A PHP package containing implementations of the accepted PSR-7 HTTP message interfaces [1], as well as a \"server\" implementation similar to node's http.Server [2]. Documentation: https://zendframework.github.io/zend-diactoros/ Autoloader: /usr/share/php/Zend/Diactoros/autoload.php [1] http://www.php-fig.org/psr/psr-7/ [2] http://nodejs.org/api/http.html ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-14T20:21:53", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: php-zendframework-zend-diactoros-1.8.4-1.fc27", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-14T20:21:53", "id": "FEDORA:308796481BA8", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:46:50", "description": "A PHP package containing implementations of the accepted PSR-7 HTTP message interfaces [1], as well as a \"server\" implementation similar to node's http.Server [2]. Documentation: https://zendframework.github.io/zend-diactoros/ Autoloader: /usr/share/php/Zend/Diactoros/autoload.php [1] http://www.php-fig.org/psr/psr-7/ [2] http://nodejs.org/api/http.html ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-14T21:13:08", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-zendframework-zend-diactoros-1.8.4-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-14T21:13:08", "id": "FEDORA:2C60F6317793", "href": "", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-11-27T10:47:49", "description": "PHP framework for web projects ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-04-27T21:36:39", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: php-symfony-2.8.51-1.fc28", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-14774", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-10912", "CVE-2019-10913"], "modified": "2019-04-27T21:36:39", "id": "FEDORA:11742604AF76", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BAC2TQVEEH5FDJSSWPM2BCRIPTCOEMMO/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:46:50", "description": "Symfony PHP framework (version 3). NOTE: Does not require PHPUnit bridge. ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-14T20:21:45", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: php-symfony3-3.3.18-1.fc27", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11385", "CVE-2018-11386", "CVE-2018-11406", "CVE-2018-11407", "CVE-2018-11408", "CVE-2018-14773", "CVE-2018-14774"], "modified": "2018-08-14T20:21:45", "id": "FEDORA:E962C6480ABF", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AYJO6FI4ZZDXA5WEHNAPHKC55OMNF5Z3/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-03-23T13:24:55", "description": "An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.7}, "published": "2018-08-03T17:29:00", "type": "cve", "title": "CVE-2018-14774", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14774"], "modified": "2018-10-17T17:05:00", "cpe": ["cpe:/a:sensiolabs:symfony:4.1.2", "cpe:/a:sensiolabs:symfony:2.8.43", "cpe:/a:sensiolabs:symfony:2.7.48", "cpe:/a:sensiolabs:symfony:3.3.17", "cpe:/a:sensiolabs:symfony:4.0.13", "cpe:/a:sensiolabs:symfony:3.4.13"], "id": "CVE-2018-14774", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14774", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:sensiolabs:symfony:2.7.48:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:3.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:3.4.13:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:2.8.43:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:4.0.13:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T13:24:50", "description": "An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-03T17:29:00", "type": "cve", "title": "CVE-2018-14773", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2021-09-29T16:21:00", "cpe": ["cpe:/a:sensiolabs:symfony:4.1.2", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:sensiolabs:symfony:2.8.43", "cpe:/a:sensiolabs:symfony:2.7.48", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:sensiolabs:symfony:3.3.17", "cpe:/a:sensiolabs:symfony:4.0.13", "cpe:/a:sensiolabs:symfony:3.4.13"], "id": "CVE-2018-14773", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14773", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:2.7.48:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:3.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:4.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:3.4.13:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:2.8.43:*:*:*:*:*:*:*", "cpe:2.3:a:sensiolabs:symfony:4.0.13:*:*:*:*:*:*:*"]}], "ubuntucve": [{"lastseen": "2021-11-22T21:30:53", "description": "An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48,\n2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0\nthrough 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values\nof the X-Forwarded-Host headers are implicitly set as trusted while this\nshould be forbidden, leading to potential host header injection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 7.2, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-08-03T00:00:00", "type": "ubuntucve", "title": "CVE-2018-14774", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14774"], "modified": "2018-08-03T00:00:00", "id": "UB:CVE-2018-14774", "href": "https://ubuntu.com/security/CVE-2018-14774", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-11-28T21:34:51", "description": "An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48,\n2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0\nthrough 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a\n(legacy) IIS header that lets users override the path in the request URL\nvia the X-Original-URL or X-Rewrite-URL HTTP request header. These headers\nare designed for IIS support, but it's not verified that the server is in\nfact running IIS, which means anybody who can send these requests to an\napplication can trigger this. This affects\n\\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri() where\nX-Original-URL and X_REWRITE_URL are both used. The fix drops support for\nthese methods so that they cannot be used as attack vectors such as web\ncache poisoning.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-08-03T00:00:00", "type": "ubuntucve", "title": "CVE-2018-14773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-03T00:00:00", "id": "UB:CVE-2018-14773", "href": "https://ubuntu.com/security/CVE-2018-14773", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2022-07-04T06:02:36", "description": "An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 7.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 2.7}, "published": "2018-08-03T17:29:00", "type": "debiancve", "title": "CVE-2018-14774", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14774"], "modified": "2018-08-03T17:29:00", "id": "DEBIANCVE:CVE-2018-14774", "href": "https://security-tracker.debian.org/tracker/CVE-2018-14774", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-07-04T06:02:36", "description": "An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-03T17:29:00", "type": "debiancve", "title": "CVE-2018-14773", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-03T17:29:00", "id": "DEBIANCVE:CVE-2018-14773", "href": "https://security-tracker.debian.org/tracker/CVE-2018-14773", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "drupal": [{"lastseen": "2021-11-29T21:40:05", "description": "The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the [Symfony security advisory for the issue](<https://symfony.com/cve-2018-14773>).\n\nThe same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, [read the Zend Framework security advisory](<https://framework.zend.com/security/advisory/ZF2018-01>) and update or patch as needed.\n\nThe Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.\n\n## Versions affected\n\n8.x versions before 8.5.6.\n\n## Solution\n\nUpgrade to Drupal 8.5.6.\n\nVersions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.\n\n## Reported By\n\n * [James Kettle](<https://www.drupal.org/u/albinowax>)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-08-01T00:00:00", "type": "drupal", "title": "Drupal Core - 3rd-party libraries -SA-CORE-2018-005\n", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-01T00:00:00", "id": "DRUPAL-SA-CORE-2018-005", "href": "https://www.drupal.org/SA-CORE-2018-005", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2021-06-08T18:53:43", "description": "The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the [Symfony security advisory for the issue](<https://symfony.com/cve-2018-14773>).\n\nThe same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality. If your site or module uses Zend Feed or Diactoros directly, [read the Zend Framework security advisory](<https://framework.zend.com/security/advisory/ZF2018-01>) and update or patch as needed.\n\nThe Drupal Security Team would like to to thank the Symfony and Zend Security teams for their collaboration on this issue.\n\n## Versions affected\n\n8.x versions before 8.5.6.\n\n## Solution\n\nUpgrade to Drupal 8.5.6.\n\nVersions of Drupal 8 prior to 8.5.x are end-of-life and do not receive security coverage.\n\n## Reported By\n\n * [James Kettle](<https://www.drupal.org/u/albinowax>)\n", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-08-01T00:00:00", "type": "drupal", "title": "Drupal Core - 3rd-party libraries -SA-CORE-2018-005\n", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-01T00:00:00", "id": "SA-CORE-2018-005", "href": "https://www.drupal.org/SA-CORE-2018-005", "cvss": {"score": 0.0, "vector": "NONE"}}], "ibm": [{"lastseen": "2022-02-10T00:00:00", "description": "## Summary\n\nIBM API Connect has fixed the following vulnerability. \n \nAPI Connect is impacted by vulnerabilities addressed in the Drupal 8 advisory https://www.drupal.org/SA-CORE-2018-005\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-14773](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14773>) \n**DESCRIPTION: **Drupal Core could allow a remote attacker to bypass security restrictions, caused by an access control flaw in the 3rd party Symfony HttpFoundation component. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to bypass restrictions on higher level caches and web servers. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/147835> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product | Affected Versions \n---|--- \nAPI Connect | 2018.1.0 - 2018.3.4 \n \n## Remediation/Fixes\n\nProduct | \n\nAddressed in VRMF\n\n| APAR | Remediation / First Fix \n---|---|---|--- \nAPI Connect | 2018.3.5 | LI80272 | \n\nAddressed in IBM API Connect Developer Portal 2018.3.5\n\nFollow this link and find the appropriate form factor for your installation: \"portal-images-kubernetes\" or \"apicup\" or \"IBM_APIConnect_ICP\" for 2018.3.5 or beyond.\n\n[https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=2018.3.4&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.3.4&platform=All&function=all>) \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n[https://www.drupal.org/SA-CORE-2018-005](<https://www.drupal.org/psa-2018-07-30>)\n\n## Change History\n\nAug 23 2018: Updated bulletin with vulnerability details. | 03 August 2018: original document published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n[{\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Product\":{\"code\":\"SSMNED\",\"label\":\"IBM API Connect\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"2018.1.0-2018.3.4\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-08-23T16:19:33", "type": "ibm", "title": "Security Bulletin: IBM API Connect is impacted by a Drupal 8 vulnerability (CVE-2018-14773)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-23T16:19:33", "id": "04B37F2D160D9D367D67DA8476D560DAFCDF7FF4A1B6F6726D3E08215C1BBDB7", "href": "https://www.ibm.com/support/pages/node/719697", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "thn": [{"lastseen": "2022-05-09T12:40:21", "description": "[](<https://thehackernews.com/images/-NjGReOok2wY/W2Q1dwJHcHI/AAAAAAAAxv4/KeEzE6t2sWUR2jx4int7nOevAY1sG49twCLcBGAs/s728-e100/hack-drupal-websites.png>)\n\nIt's time to update your Drupal websites. \n \nDrupal, the popular open-source content management system, has released a new version of its software to patch a security bypass vulnerability that could allow a remote attacker to take control of the affected websites. \n \nThe vulnerability, tracked as CVE-2018-14773, resides in a component of a third-party library, called **Symfony HttpFoundation component**, which is being used in Drupal Core and affects Drupal 8.x versions before 8.5.6. \n \nSince Symfony\u2014a web application framework with a set of PHP components\u2014is being used by a lot of projects, the vulnerability could potentially put many web applications at risk of hacking. \n \n\n\n## Symfony Component Vulnerability\n\n \nAccording to an [advisory](<https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers>) released by Symfony, the security bypass vulnerability originates due to Symfony's support for legacy and risky HTTP headers. \n\n\n> \"Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers,\" Symfony said.\n\nA remote attack can exploit it with a specially crafted 'X-Original-URL' or 'X-Rewrite-URL' HTTP header value, which overrides the path in the request URL to potentially bypass access restrictions and cause the target system to render a different URL. \n \nThe vulnerability has been fixed in Symfony version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3, and Drupal has [patched](<https://www.drupal.org/SA-CORE-2018-005>) the issue in its latest version 8.5.6. \n \n\n\n## The same Flaw Exists in Zend Framework\n\n \nBesides Symfony, the Drupal team found that a similar vulnerability also exists in the [Zend Feed](<https://framework.zend.com/security/advisory/ZF2018-01>) and Diactoros libraries included in Drupal Core, which they named 'URL Rewrite vulnerability.' \n \nHowever, the popular CMS said Drupal Core does not use the vulnerable functionality, but recommended users to patch their your website, if their site or module uses Zend Feed or Diactoros directly. \n \nDrupal powers millions of websites and unfortunately, the CMS had recently been [under active attacks](<https://thehackernews.com/2018/04/drupal-vulnerability-exploit.html>) since after the disclosure of a highly critical remote code execution vulnerability, dubbed [Drupalgeddon2](<https://thehackernews.com/2018/04/drupal-rce-exploit-code.html>). \n \nTherefore, before hackers started exploiting the new flaw to take control of your website, you are highly recommended to update your sites as soon as possible. \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-08-03T11:13:00", "type": "thn", "title": "Symfony Flaw Leaves Drupal Sites Vulnerable to Hackers\u2014Patch Now", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773"], "modified": "2018-08-03T11:13:03", "id": "THN:00596204EB45676B8CC125A102706CFC", "href": "https://thehackernews.com/2018/08/symfony-drupal-hack.html", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "debian": [{"lastseen": "2021-12-10T15:29:01", "description": "Package : symfony\nVersion : 2.3.21+dfsg-4+deb8u4\nCVE ID : CVE-2017-16652 CVE-2017-16654 CVE-2018-11385 CVE-2018-11408 \n CVE-2018-14773 CVE-2018-19789 CVE-2018-19790\n\n\nSeveral security vulnerabilities have been discovered in symfony, a PHP\nweb application framework. Numerous symfony components are affected:\nSecurity, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\nThe corresponding upstream advisories contain further details:\n\n[CVE-2017-16652]\nhttps://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers\n\n[CVE-2017-16654]\nhttps://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths\n\n[CVE-2018-11385]\nhttps://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication\n\n[CVE-2018-11408]\nhttps://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers\n\n[CVE-2018-14773]\nhttps://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\n\n[CVE-2018-19789]\nhttps://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path\n\n[CVE-2018-19790]\nhttps://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\nWe recommend that you upgrade your symfony packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\nAttachment:\nsignature.asc\nDescription: PGP signature\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-10T01:19:23", "type": "debian", "title": "[SECURITY] [DLA 1707-1] symfony security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16652", "CVE-2017-16654", "CVE-2018-11385", "CVE-2018-11408", "CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790"], "modified": "2019-03-10T01:19:23", "id": "DEBIAN:DLA-1707-1:A69DA", "href": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-26T13:19:36", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4441-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nMay 10, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : symfony\nCVE ID : CVE-2018-14773 CVE-2018-19789 CVE-2018-19790 CVE-2019-10909 \n CVE-2019-10910 CVE-2019-10911 CVE-2019-10912 CVE-2019-10913\n\nMultiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.8.7+dfsg-1.3+deb9u2.\n\nWe recommend that you upgrade your symfony packages.\n\nFor the detailed security status of symfony please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/symfony\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-10T06:26:19", "type": "debian", "title": "[SECURITY] [DSA 4441-1] symfony security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-10912", "CVE-2019-10913"], "modified": "2019-05-10T06:26:19", "id": "DEBIAN:DSA-4441-1:4957F", "href": "https://lists.debian.org/debian-security-announce/2019/msg00085.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-28T09:26:20", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4441-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nMay 10, 2019 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : symfony\nCVE ID : CVE-2018-14773 CVE-2018-19789 CVE-2018-19790 CVE-2019-10909 \n CVE-2019-10910 CVE-2019-10911 CVE-2019-10912 CVE-2019-10913\n\nMultiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.8.7+dfsg-1.3+deb9u2.\n\nWe recommend that you upgrade your symfony packages.\n\nFor the detailed security status of symfony please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/symfony\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-05-10T06:26:19", "type": "debian", "title": "[SECURITY] [DSA 4441-1] symfony security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-10912", "CVE-2019-10913"], "modified": "2019-05-10T06:26:19", "id": "DEBIAN:DSA-4441-1:6ED3B", "href": "https://lists.debian.org/debian-security-announce/2019/msg00085.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osv": [{"lastseen": "2022-07-06T05:20:30", "description": "\nSeveral security vulnerabilities have been discovered in symfony, a PHP\nweb application framework. Numerous symfony components are affected:\nSecurity, bundle readers, session handling, SecurityBundle,\nHttpFoundation, Form, and Security\\Http.\n\n\nThe corresponding upstream advisories contain further details:\n\n\n[[CVE-2017-16652](https://security-tracker.debian.org/tracker/CVE-2017-16652)]\n<https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers>\n\n\n[[CVE-2017-16654](https://security-tracker.debian.org/tracker/CVE-2017-16654)]\n<https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths>\n\n\n[[CVE-2018-11385](https://security-tracker.debian.org/tracker/CVE-2018-11385)]\n<https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication>\n\n\n[[CVE-2018-11408](https://security-tracker.debian.org/tracker/CVE-2018-11408)]\n<https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers>\n\n\n[[CVE-2018-14773](https://security-tracker.debian.org/tracker/CVE-2018-14773)]\n<https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers>\n\n\n[[CVE-2018-19789](https://security-tracker.debian.org/tracker/CVE-2018-19789)]\n<https://symfony.com/blog/cve-2018-19789-disclosure-of-uploaded-files-full-path>\n\n\n[[CVE-2018-19790](https://security-tracker.debian.org/tracker/CVE-2018-19790)]\n<https://symfony.com/blog/cve-2018-19790-open-redirect-vulnerability-when-using-security-http>\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n2.3.21+dfsg-4+deb8u4.\n\n\nWe recommend that you upgrade your symfony packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-03-09T00:00:00", "type": "osv", "title": "symfony - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16652", "CVE-2017-16654", "CVE-2018-11385", "CVE-2018-11408", "CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790"], "modified": "2022-07-06T01:45:07", "id": "OSV:DLA-1707-1", "href": "https://osv.dev/vulnerability/DLA-1707-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-06T05:03:48", "description": "\nMultiple vulnerabilities were discovered in the Symfony PHP framework\nwhich could lead to cache bypass, authentication bypass, information\ndisclosure, open redirect, cross-site request forgery, deletion of\narbitrary files, or arbitrary code execution.\n\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 2.8.7+dfsg-1.3+deb9u2.\n\n\nWe recommend that you upgrade your symfony packages.\n\n\nFor the detailed security status of symfony please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/symfony](https://security-tracker.debian.org/tracker/symfony)\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-05-10T00:00:00", "type": "osv", "title": "symfony - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-14773", "CVE-2018-19789", "CVE-2018-19790", "CVE-2019-10909", "CVE-2019-10910", "CVE-2019-10911", "CVE-2019-10912", "CVE-2019-10913"], "modified": "2022-07-06T02:58:51", "id": "OSV:DSA-4441-1", "href": "https://osv.dev/vulnerability/DSA-4441-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}