Host Header Injection Vulnerability in Symfony HttpKernel
CVE-2018-14774

7.2HIGH

Key Information:

Vendor
Sensiolabs
Status
Symfony
Vendor
CVE Published:
3 August 2018

Summary

A vulnerability in Symfony's HttpKernel allows for host header injection when using HttpCache. Specifically, the X-Forwarded-Host headers are treated as trusted without proper validation, opening the door to potential security breaches where an attacker could manipulate the request's Host header to redirect requests or bypass security controls. This issue affects multiple versions of Symfony, and it is critically important for users to validate the headers properly to prevent exploitation.

References

https://github.com/symfony/symfony/commit/725dee4cd8b4ccd...
x_refsource_CONFIRM
https://symfony.com/blog/cve-2018-14774-possible-host-hea...
x_refsource_CONFIRM

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-14774 : Host Header Injection Vulnerability in Symfony HttpKernel | SecurityVulnerability.io