GoogleOSV:GHSA-Q3J3-W37X-HQ2QWebcache Poisoning in symfony/http-kernel
0.001 Low
EPSS
Percentile
39.3%
Description
When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the X-Forwarded-* HTTP headers. HTTP headers that are not part of the βtrusted_headersβ allowed list are ignored and protect you from βCache poisoningβ attacks.
In Symfony 5.2, weβve added support for the X-Forwarded-Prefix header, but this header was accessible in sub-requests, even if it was not part of the βtrusted_headersβ allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix HTTP header, leading to a web cache poisoning issue.
Resolution
Symfony now ensures that the X-Forwarded-Prefix HTTP header is not forwarded to sub-requests when it is not trusted.
The patch for this issue is available here for branch 5.3.
Credits
We would like to thank Soner Sayakci for reporting the issue and JΓ©rΓ©my DerussΓ© for fixing the issue.
References
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yaml
github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
github.com/symfony/symfony/pull/44243
github.com/symfony/symfony/releases/tag/v5.3.12
github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
nvd.nist.gov/vuln/detail/CVE-2021-41267
symfony.com/cve-2021-41267
Related
