RCE in Symfony
CVE-2020-15094

8HIGH

Key Information:

Vendor
Symfony
Status
Symfony
Vendor
CVE Published:
2 September 2020

Summary

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Affected Version(s)

symfony >= 4.4.0, < 4.4.13 < 4.4.0, 4.4.13

symfony >= 5.0.0, < 5.1.5 < 5.0.0, 5.1.5

References

https://github.com/symfony/symfony/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/symfony/symfony/commit/d9910e0b33a2e0f...
x_refsource_MISC
https://packagist.org/packages/symfony/symfony
x_refsource_MISC

CVSS V3.1

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.