Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:composer/symfony/http-foundation@4.1.0
Typecomposer
Namespacesymfony
Namehttp-foundation
Version4.1.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version4.1.3
Latest_non_vulnerable_version7.3.7
Affected_by_vulnerabilities
0
url VCID-qqd1-smb1-sbe8
vulnerability_id VCID-qqd1-smb1-sbe8
summary 
URL Rewrite vulnerability
An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
references
0
reference_url https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
reference_id CVE-2018-14773-REMOVE-SUPPORT-FOR-LEGACY-AND-RISKY-HTTP-HEADERS
reference_type
scores
url https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
fixed_packages
0
url pkg:composer/symfony/http-foundation@4.1.3
purl pkg:composer/symfony/http-foundation@4.1.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.1.3
aliases CVE-2018-14773
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qqd1-smb1-sbe8
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:composer/symfony/http-foundation@4.1.0