CVE-2021-41267

2021-11-2400:00:00

ubuntu.com

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

4.3 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

39.2%

JSON

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP
framework for web and console applications and a set of reusable PHP
components. Headers that are not part of the “trusted_headers” allowed list
are ignored and protect users from “Cache poisoning” attacks. In Symfony
5.2, maintainers added support for the X-Forwarded-Prefix headers, but
this header was accessible in SubRequest, even if it was not part of the
“trusted_headers” allowed list. An attacker could leverage this opportunity
to forge requests containing a X-Forwarded-Prefix header, leading to a
web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure
that the X-Forwarded-Prefix header is not forwarded to subrequests when
it is not trusted.

OSVersionArchitecturePackageVersionFilename
ubuntu22.04noarchsymfony< anyUNKNOWN
ubuntu23.10noarchsymfony< anyUNKNOWN
ubuntu24.04noarchsymfony< anyUNKNOWN