Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/http-foundation@4.0.0
Typecomposer
Namespacesymfony
Namehttp-foundation
Version4.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.0.11
Latest_non_vulnerable_version7.3.7
Affected_by_vulnerabilities
0
url VCID-7m45-bvbn-4qd3
vulnerability_id VCID-7m45-bvbn-4qd3
summary 
SQL Injection
In Symfony HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS.
references
0
reference_url https://symfony.com/cve-2019-10913
reference_id CVE-2019-10913
reference_type
scores
url https://symfony.com/cve-2019-10913
fixed_packages
0
url pkg:composer/symfony/http-foundation@4.2.7
purl pkg:composer/symfony/http-foundation@4.2.7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.2.7
aliases CVE-2019-10913
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7m45-bvbn-4qd3
1
url VCID-nsuz-7sdv-abef
vulnerability_id VCID-nsuz-7sdv-abef
summary 
Insufficient Session Expiration
The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
references
0
reference_url https://symfony.com/cve-2018-11386
reference_id CVE-2018-11386
reference_type
scores
url https://symfony.com/cve-2018-11386
fixed_packages
0
url pkg:composer/symfony/http-foundation@4.0.11
purl pkg:composer/symfony/http-foundation@4.0.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.0.11
aliases CVE-2018-11386
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nsuz-7sdv-abef
2
url VCID-qqd1-smb1-sbe8
vulnerability_id VCID-qqd1-smb1-sbe8
summary 
URL Rewrite vulnerability
An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
references
0
reference_url https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
reference_id CVE-2018-14773-REMOVE-SUPPORT-FOR-LEGACY-AND-RISKY-HTTP-HEADERS
reference_type
scores
url https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
fixed_packages
0
url pkg:composer/symfony/http-foundation@4.0.14
purl pkg:composer/symfony/http-foundation@4.0.14
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.0.14
1
url pkg:composer/symfony/http-foundation@4.1.3
purl pkg:composer/symfony/http-foundation@4.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.1.3
aliases CVE-2018-14773
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qqd1-smb1-sbe8
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.0.0