46 matches found
CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially...
CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially...
CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially...
CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially...
GHSA-754H-5R27-7X3R RCE in Symfony
Description ----------- The CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surroga...
PT-2020-14179 · Symfony · Symfony
Name of the Vulnerable Software and Affected Versions: Symfony versions prior to 4.4.13 Symfony versions prior to 5.1.5 Description: The CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval...
CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient
Affected versions Symfony 4.3, 4.4.0 to 4.4.12, 5.0, and 5.1.0 to 5.1.4 versions of the Symfony HttpClient component are affected by this security issue. The issue has been fixed in Symfony 4.4.13 and 5.1.5. Symfony 4.3 and 5.0 won't be patched as they are not maintained anymore. Description The...
Fedora 28 : php-symfony (2018-9b54497b6e)
2.8.44 2018-08-01 - security cve-2018-14774 HttpKernel fix trusted headers management in HttpCache and InlineFragmentRenderer nicolas-grekas - security cve-2018-14773 HttpFoundation Remove support for legacy and risky HTTP headers nicolas-grekas - bug 28003 HttpKernel Fixes invalid REMOTEADDR in...
Fedora 27 : php-symfony3 (2018-6f3ceeb7cb)
3.3.18 2018-08-01 - security cve-2018-14774 HttpKernel fix trusted headers management in HttpCache and InlineFragmentRenderer nicolas-grekas - security cve-2018-14773 HttpFoundation Remove support for legacy and risky HTTP headers nicolas-grekas Note that Tenable Network Security has extracted th...
Header Injection
symfony is vulnerable to header injection. The injection is possible because the X-Forwarded-Host by default is configured as trusted while using HttpCache, allowing a malicious user to conduct a header injection attack...
Sensiolabs Symfony <= 2.7.48, 2.8.* <= 2.8.43, 3.* <= 3.3.17, 3.4.* <= 3.4.13, 4.0.* <= 4.0.13 and 4.1.* <= 4.1.2 Multiple Vulnerabilities
This host runs Symfony and is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only if description...
DEBIAN-CVE-2018-14774
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should ...
UBUNTU-CVE-2018-14774
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should ...
CVE-2018-14774
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should ...
CVE-2018-14774: Possible host header injection when using HttpCache
Affected versions Symfony 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13, and 4.1.0 to 4.1.2 versions of the Symfony HttpKernel component are affected by this security issue. The issue has been fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3...
Denial Of Service (DoS)
scrapy is vulnerable to denial of service attacks. The vulnerability exists in garbagecollect functions in httpcache.py When multiple large files are being read into the memory concurrently by the application it can cause large amounts of memory to be consumed, causing a denial of service...
Arbitrary Code Injection
Symfony is vulnerable to arbitrary code injection attacks. A malicious user can inject and execute arbitrary PHP code with a language="php" attribute of a SCRIPT element through the Symfony\Component\HttpKernel\HttpCache class. This vulnerability only affects applications with ESI or SSI support...
DEBIAN-CVE-2015-2308
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element...
CVE-2015-2308
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element...
CVE-2015-2308
Eval injection vulnerability in the HttpCache class in HttpKernel in Symfony 2.x before 2.3.27, 2.4.x and 2.5.x before 2.5.11, and 2.6.x before 2.6.6 allows remote attackers to execute arbitrary PHP code via a language="php" attribute of a SCRIPT element...