RCE in Symfony
CVE-2020-15094

8HIGH

Key Information:

Vendor

Symfony

Status
Symfony
Vendor
CVE Published:
2 September 2020

What is CVE-2020-15094?

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Affected Version(s)

symfony >= 4.4.0, < 4.4.13 < 4.4.0, 4.4.13

symfony >= 5.0.0, < 5.1.5 < 5.0.0, 5.1.5

References

https://github.com/symfony/symfony/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/symfony/symfony/commit/d9910e0b33a2e0f...
x_refsource_MISC
https://packagist.org/packages/symfony/symfony
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.