HTTP Request Manipulation Vulnerability in Symfony by Sensio Labs
CVE-2018-14773

6.5MEDIUM

Key Information:

Vendor

Sensiolabs

Status
Symfony
Vendor
CVE Published:
3 August 2018

What is CVE-2018-14773?

A vulnerability was identified in the Http Foundation component of Symfony that permits a misuse of HTTP request headers, specifically the X-Original-URL and X-Rewrite-URL headers. These headers, while intended for Internet Information Services (IIS) compatibility, do not verify the server context, allowing any user capable of sending crafted requests to exploit the weakness. This manipulation can potentially lead to unauthorized actions, such as web cache poisoning. The issue has since been addressed by removing support for these headers, thereby closing this vector of attack.

References

http://www.securityfocus.com/bid/104943
vdb-entryx_refsource_BID
https://www.drupal.org/SA-CORE-2018-005
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2019/03/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.