Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/symfony@2.4.0-alpha
Typecomposer
Namespacesymfony
Namesymfony
Version2.4.0-alpha
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.5.11
Latest_non_vulnerable_version8.0.5
Affected_by_vulnerabilities
0
url VCID-5pmg-t1rb-wbd4
vulnerability_id VCID-5pmg-t1rb-wbd4
summary 
Unsafe methods in the Request class
The `Symfony\Component\HttpFoundation\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`.
references
0
reference_url http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class
reference_id CVE-2015-2309-UNSAFE-METHODS-IN-THE-REQUEST-CLASS
reference_type
scores
url http://symfony.com/blog/cve-2015-2309-unsafe-methods-in-the-request-class
fixed_packages
0
url pkg:composer/symfony/symfony@2.5.11
purl pkg:composer/symfony/symfony@2.5.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.11
1
url pkg:composer/symfony/symfony@2.6.6
purl pkg:composer/symfony/symfony@2.6.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.6.6
aliases CVE-2015-2309
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5pmg-t1rb-wbd4
1
url VCID-wdz4-hfer-1ud1
vulnerability_id VCID-wdz4-hfer-1ud1
summary 
Esi Code Injection
Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.
references
0
reference_url http://symfony.com/blog/cve-2015-2308-esi-code-injection
reference_id CVE-2015-2308-ESI-CODE-INJECTION
reference_type
scores
url http://symfony.com/blog/cve-2015-2308-esi-code-injection
fixed_packages
0
url pkg:composer/symfony/symfony@2.5.11
purl pkg:composer/symfony/symfony@2.5.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.5.11
1
url pkg:composer/symfony/symfony@2.6.6
purl pkg:composer/symfony/symfony@2.6.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.6.6
aliases CVE-2015-2308
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wdz4-hfer-1ud1
2
url VCID-x4nv-gvag-7qf2
vulnerability_id VCID-x4nv-gvag-7qf2
summary 
CVE-2016-4423: Large username storage in session
The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.
references
0
reference_url https://github.com/symfony/symfony/pull/18733
reference_id
reference_type
scores
url https://github.com/symfony/symfony/pull/18733
1
reference_url https://symfony.com/cve-2016-4423
reference_id CVE-2016-4423
reference_type
scores
url https://symfony.com/cve-2016-4423
2
reference_url http://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
reference_id CVE-2016-4423-LARGE-USERNAME-STORAGE-IN-SESSION
reference_type
scores
url http://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
fixed_packages
0
url pkg:composer/symfony/symfony@2.7.13
purl pkg:composer/symfony/symfony@2.7.13
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.7.13
1
url pkg:composer/symfony/symfony@2.8.6
purl pkg:composer/symfony/symfony@2.8.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.8.6
2
url pkg:composer/symfony/symfony@3.0.6
purl pkg:composer/symfony/symfony@3.0.6
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@3.0.6
aliases CVE-2016-4423
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x4nv-gvag-7qf2
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.4.0-alpha