6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
symfony/symfony is vulnerable to insecure http headers. The library supports the legacy HTTP request headers X_ORIGINAL_URL
and X_REWRITE_URL
which are considered insecure. This can allow a malicious user to bypass authorization by modifying the header to return a different URL from the one requested.
www.securityfocus.com/bid/104943
www.securitytracker.com/id/1041405
github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b
lists.debian.org/debian-lts-announce/2019/03/msg00009.html
seclists.org/bugtraq/2019/May/21
symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
www.debian.org/security/2019/dsa-4441
www.drupal.org/SA-CORE-2018-005
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N