8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
80.6%
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class
from the HttpClient Symfony component relies on the HttpCache class to
handle requests. HttpCache uses internal headers like X-Body-Eval and
X-Body-File to control the restoration of cached responses. The class was
initially written with surrogate caching and ESI support in mind (all HTTP
calls come from a trusted backend in that scenario). But when used by
CachingHttpClient and if an attacker can control the response for a request
being made by the CachingHttpClient, remote code execution is possible.
This has been fixed in versions 4.4.13 and 5.1.5.
github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78
github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r
launchpad.net/bugs/cve/CVE-2020-15094
nvd.nist.gov/vuln/detail/CVE-2020-15094
packagist.org/packages/symfony/http-kernel
packagist.org/packages/symfony/symfony
security-tracker.debian.org/tracker/CVE-2020-15094
www.cve.org/CVERecord?id=CVE-2020-15094
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.007 Low
EPSS
Percentile
80.6%