GoogleOSV:GHSA-MCX4-F5F5-4859Prevent cache poisoning via a Response Content-Type header in Symfony
0.002 Low
EPSS
Percentile
54.9%
Description
When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response’s content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.
Resolution
Symfony does not use the Accept header anymore to guess the Content-Type.
The patch for this issue is available here for the 4.4 branch.
Credits
I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.
References
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2020-5255.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5255.yaml
github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6
github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859
lists.fedoraproject.org/archives/list/[email protected]/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ
nvd.nist.gov/vuln/detail/CVE-2020-5255
symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header
symfony.com/cve-2020-5255
Related
