HTTP Request Manipulation Vulnerability in Symfony by Sensio Labs
CVE-2018-14773

6.5MEDIUM

Key Information:

Vendor
Sensiolabs
Status
Symfony
Vendor
CVE Published:
3 August 2018

Summary

A vulnerability was identified in the Http Foundation component of Symfony that permits a misuse of HTTP request headers, specifically the X-Original-URL and X-Rewrite-URL headers. These headers, while intended for Internet Information Services (IIS) compatibility, do not verify the server context, allowing any user capable of sending crafted requests to exploit the weakness. This manipulation can potentially lead to unauthorized actions, such as web cache poisoning. The issue has since been addressed by removing support for these headers, thereby closing this vector of attack.

References

http://www.securityfocus.com/bid/104943
vdb-entryx_refsource_BID
https://www.drupal.org/SA-CORE-2018-005
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2019/03/msg0...
mailing-listx_refsource_MLIST

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-14773 : HTTP Request Manipulation Vulnerability in Symfony by Sensio Labs | SecurityVulnerability.io