symfony/http-kernel is vulnerable to HTTP request smuggling. The vulnerability exists in handle
function of SubRequestHandler
due to missing extra trusted header in sub-request which allows an attacker to forge requests containing a X-Forwarded-Prefix HTTP header, leading to a web cache poisoning issue.
github.com/shopware/core/commit/b4c2eab0e6547884fd543a598d164b1f49f4c96c
github.com/shopware/platform/commit/9062f15450d183f2c666664841efd4f5ef25e0f3
github.com/shopware/platform/security/advisories/GHSA-r64m-qchj-hrjp
github.com/symfony/http-kernel/commit/7e7cf0c029aa418c49e34df83644e04a1056e2ff
github.com/symfony/http-kernel/commit/c33400628b453d0c5b88f823e0302ed870d2269f
github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
github.com/symfony/symfony/commit/dcdd62c67657f23cf90bf9eadca75ad58ac91f41
github.com/symfony/symfony/pull/44243
github.com/symfony/symfony/releases/tag/v5.3.12
github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
symfony.com/blog/cve-2021-41267-webcache-poisoning-via-x-forwarded-prefix-and-sub-request