Host Header Injection Vulnerability in Symfony HttpKernel
CVE-2018-14774

7.2HIGH

Key Information:

Vendor: Sensiolabs
Status: Symfony
Vendor: CVE Published:; 3 August 2018

What is CVE-2018-14774?

A vulnerability in Symfony's HttpKernel allows for host header injection when using HttpCache. Specifically, the X-Forwarded-Host headers are treated as trusted without proper validation, opening the door to potential security breaches where an attacker could manipulate the request's Host header to redirect requests or bypass security controls. This issue affects multiple versions of Symfony, and it is critically important for users to validate the headers properly to prevent exploitation.

References

https://github.com/symfony/symfony/commit/725dee4cd8b4ccd...

x_refsource_CONFIRM

https://symfony.com/blog/cve-2018-14774-possible-host-hea...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 3, 2018
Vulnerability Reserved
Jul 31, 2018

Sensiolabs

What is CVE-2018-14774?

References

CVSS V3.1

Timeline