7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
29.6%
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
CPE | Name | Operator | Version |
---|---|---|---|
symfony/symfony | le | 4.1.2 | |
symfony/symfony | le | 4.0.13 | |
symfony/symfony | le | 3.4.13 | |
symfony/symfony | le | 3.3.17 | |
symfony/symfony | le | 2.8.43 | |
symfony/symfony | le | 2.7.48 |
github.com/advisories/GHSA-66p6-7p29-55p9
github.com/symfony/symfony
github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a
github.com/symfony/symfony/commit/7f912bbb78377c2ea331b3da28363435fbd91337
github.com/symfony/symfony/commit/96504fb8c9f91204727d2930eb837473ce154956
github.com/symfony/symfony/commit/974240e178bb01d734bf1df1ad5c3beba6a2f982
github.com/symfony/symfony/commit/9cfcaba0bf71f87683510b5f47ebaac5f5d6a5ba
github.com/symfony/symfony/commit/bcf5897bb1a99d4acae8bf7b73e81bfdeaac0922
nvd.nist.gov/vuln/detail/CVE-2018-14774
symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
29.6%