Search for packages
| purl | pkg:composer/symfony/symfony@2.0.14 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-23wm-y6hh-hfd3
Aliases: CVE-2012-6431 GHSA-83c3-qx27-2rwr |
Routes behind a firewall are accessible even when not logged in Symfony does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string. |
Affected by 30 other vulnerabilities. |
|
VCID-2hua-7wbd-tqbx
Aliases: CVE-2018-11386 GHSA-r2rq-3h56-fqm4 |
Insufficient Session Expiration The `PDOSessionHandler` class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources. |
Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-446x-j2gr-f3a2
Aliases: GHSA-vfm6-r2gc-pwww |
Symfony2 security issue when the trust proxy mode is enabled An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control. To fix this security issue, the following changes have been made to all versions of Symfony2: A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument: ``` // before (probably in your front controller script) Request::trustProxyData(); // after Request::setTrustedProxies(array('1.1.1.1')); // 1.1.1.1 being the IP address of a trusted reverse proxy ``` The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address): ``` Request::trustProxyData(); // is equivalent to Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR'))); ``` We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches: - [Patch](https://github.com/symfony/symfony/compare/fc89d6b...9ce892c.patch) for Symfony 2.0.19 - [Patch](https://github.com/symfony/symfony/compare/922c201...e5536f0.patch) for Symfony 2.1.4 |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-4num-z8cg-83gt
Aliases: CVE-2024-51736 GHSA-qq5c-677p-737q |
Symfony vulnerable to command execution hijack on Windows with Process class ### Description On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. ### Resolution The `Process` class now uses the absolute path to `cmd.exe`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9) for branch 5.4. ### Credits We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-556v-rym3-6yax
Aliases: CVE-2018-11406 GHSA-g4g7-q726-v5hg |
Cross-Site Request Forgery (CSRF) By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the `invalidate_session` option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. |
Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-6cea-up73-y3hn
Aliases: CVE-2014-6061 GHSA-h7v2-2qwg-h829 |
Improper Authorization Security issue when parsing the Authorization header. |
Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-6z5x-uwjt-uueq
Aliases: CVE-2014-6072 GHSA-v35g-4rrw-h4fw |
Cross-Site Request Forgery (CSRF)Cross-Site Request Forgery (CSRF) CSRF vulnerability in the Web Profiler. |
Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-71vh-7wte-kfcx
Aliases: CVE-2018-11385 GHSA-g4rg-rw65-8hfg |
Session Fixation A session fixation vulnerability within the `Guard` login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker. |
Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-9bzz-84cq-ykh2
Aliases: CVE-2024-50345 GHSA-mrqx-rp3w-jpjp |
Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-ahhz-bs6u-f3bc
Aliases: CVE-2014-5245 GHSA-wvjv-p5rr-mmqm |
Improper Access Control Direct access of ESI URLs behind a trusted proxy. |
Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-bdhj-np35-sybt
Aliases: CVE-2023-46734 GHSA-q847-2q57-wmr3 |
Symfony potential Cross-site Scripting vulnerabilities in CodeExtension filters Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters. |
Affected by 6 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-bhfu-7788-fbhc
Aliases: CVE-2018-14773 GHSA-8wgj-6wx8-h5hq |
URL Rewrite vulnerability An issue in Symfony arises from support for a (legacy) IIS header that lets users override the path in the request URL via the `X-Original-URL` or `X-Rewrite-URL` HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects `\Symfony\Component\HttpFoundation\Request::prepareRequestUri()` where `X-Original-URL` and `X_REWRITE_URL` are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. |
Affected by 18 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 19 other vulnerabilities. Affected by 20 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-bny7-h1nn-bkbc
Aliases: CVE-2013-1348 GHSA-2r5h-6r7v-5m7c |
Code Injection The `Yaml::parse` function in Symfony allows remote attackers to execute arbitrary PHP code via a PHP file. |
Affected by 27 other vulnerabilities. |
|
VCID-c8ar-82sr-fqej
Aliases: CVE-2024-50343 GHSA-g3rh-rrhp-jhh9 |
Symfony has an incorrect response from Validator when input ends with `\n` ### Description It is possible to trick a `Validator` configured with a regular expression using the `$` metacharacters, with an input ending with `\n`. ### Resolution Symfony now uses the `D` regex modifier to match the entire input. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/7d1032bbead9a4229b32fa6ebca32681c80cb76f) for branch 5.4. ### Credits We would like to thank Offscript for reporting the issue and Alexandre Daubois for providing the fix. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-d1kp-7aht-9qa2
Aliases: CVE-2015-2308 GHSA-5c58-w9xc-qcj9 |
Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-hzwd-mq3r-qfcb
Aliases: CVE-2013-5958 GHSA-cr49-fx2v-9p57 |
Uncontrolled Resource Consumption The Security component in Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750. |
Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-jdsd-3vnz-uygn
Aliases: CVE-2019-18888 GHSA-xhh6-956q-4q69 |
Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x). |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-jjqk-u4vs-tbba
Aliases: CVE-2013-1397 GHSA-7w53-hfpw-rg3g |
Symfony Arbitrary PHP code Execution Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the (1) Yaml::parse or (2) Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348. |
Affected by 27 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-k37h-bhh2-myaj
Aliases: GHSA-q2gc-gg3x-7942 |
Symfony XML Entity Expansion security vulnerability Symfony 2.0.11 carried a [similar] XXE security fix, however, on review of ZF2 I also noted a vulnerability to XML Entity Expansion (XEE) attacks whereby all extensions making use of libxml2 have no defense against XEE Quadratic Blowup Attacks. The vulnerability is a function of there being no current method of disabling custom entities in PHP (i.e. defined internal to the XML document without using external entities). In a QBA, a long entity can be defined and then referred to multiple times in document elements, creating a memory sink with which Denial Of Service attacks against a host's RAM can be mounted. The use of the LIBXML_NOENT or equivalent option in a dependent extension amplified the impact (it doesn't actually mean "No Entities"). In addition, libxml2's innate defense against the related Exponential or Billion Laugh's XEE attacks is active only so long as the LIBXML_PARSEHUGE is NOT set (it disables libxml2's hardcoded entity recursion limit). No instances of these two options were noted, but it's worth referencing for the future. Consider this (non-fatal) example: <?xml version="1.0"?> <!DOCTYPE data [<!ENTITY a "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa">]> <data>&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;</data> Increase the length of entity, and entity count to a few hundred, and peak memory usage will waste no time spiking the moment the nodeValue for is accessed since the entities will then be expanded by a simple multiplier effect. No external entities required. ... This can be used in combination with the usual XXE defense of calling libxml_disable_entity_loader(TRUE) and, optionally, the LIBXML_NONET option (should local filesystem access be allowable). The DOCTYPE may be removed instead of rejecting the XML outright but this would likely result in other problems with the unresolved entities. |
Affected by 34 other vulnerabilities. |
|
VCID-k8ze-h7fe-fkg2
Aliases: CVE-2015-8766 GHSA-4c5w-qqfg-grf3 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Multiple cross-site scripting (XSS) vulnerabilities in content/content.systempreferences.php in Symphony CMS before 2.6.4 allow remote attackers to inject arbitrary web script or HTML via the (1) email_sendmail[from_name], (2) email_sendmail[from_address], (3) email_smtp[from_name], (4) email_smtp[from_address], (5) email_smtp[host], (6) email_smtp[port], (7) jit_image_manipulation[trusted_external_sites], or (8) maintenance_mode[ip_allow list] parameters to system/preferences. |
Affected by 23 other vulnerabilities. |
|
VCID-kgu6-gj5d-7bfx
Aliases: CVE-2026-24739 GHSA-r39x-jcww-82v6 |
Symfony's incorrect argument escaping under MSYS2/Git Bash can lead to destructive file operations on Windows ### Summary The Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mishandle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. ### Impact If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). ### Resolution Upgrade to a Symfony release that includes the fix from symfony/symfony#63164 (which updates Windows argument escaping to ensure arguments containing = and other MSYS2-sensitive characters are properly quoted/escaped). The patch for branch 5.4 is available at https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b ### Workarounds / Mitigations Avoid running PHP/your tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nsk8-bk5e-tbfh
Aliases: CVE-2016-4423 GHSA-whgv-8cg3-7hcm |
CVE-2016-4423: Large username storage in session The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. |
Affected by 17 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-p1dw-w76f-gbfv
Aliases: CVE-2025-64500 GHSA-3rg7-wf37-54rm |
Symfony's incorrect parsing of PATH_INFO can lead to limited authorization bypass The `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-qty4-cyfa-rugw
Aliases: CVE-2014-5244 GHSA-v77v-x634-9m56 |
Uncontrolled Resource Consumption Denial of service with a malicious HTTP Host header. |
Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-qwcj-hq3g-2qd7
Aliases: CVE-2022-23601 GHSA-vvmr-8829-6whx |
Cross-Site Request Forgery (CSRF) Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 9 other vulnerabilities. |
|
VCID-rgh3-ef8t-k3ec
Aliases: CVE-2022-24894 GHSA-h7vf-5wrv-9fhv GMS-2023-209 GMS-2023-212 |
Duplicate This advisory duplicates another. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-rxbg-gmn6-kbeq
Aliases: CVE-2012-6432 GHSA-89cp-fvcc-hxh7 |
Code Injection Symfony, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a `/_internal` substring. |
Affected by 29 other vulnerabilities. Affected by 28 other vulnerabilities. |
|
VCID-rztj-ug83-dyga
Aliases: CVE-2013-4752 GHSA-22pv-7v9j-hqxp |
Information Exporure `Request::getHost()` poisoning vulnerability in Symfony. |
Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-sfzy-423b-j3b4
Aliases: CVE-2013-4751 GHSA-q8j7-fjh7-25v5 |
Symfony collectionCascaded and collectionCascadedDeeply fields security bypass When using the Validator component, if `Symfony\\Component\\Validator\\Mapping\\Cache\\ApcCache` is enabled (or any other cache implementing `Symfony\\Component\\Validator\\Mapping\\Cache\\CacheInterface`), some information is lost during serialization (the `collectionCascaded` and the `collectionCascadedDeeply` fields). As a consequence, arrays or traversable objects stored in fields using the `@Valid` constraint are not traversed by the validator as soon as the validator configuration is loaded from the cache. |
Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-skth-cf6d-3ubr
Aliases: CVE-2017-18343 |
Cross-site Scripting The debug handler in Symfony has an XSS via an array key during exception pretty printing in `ExceptionHandler.php`, as demonstrated by a `/_debugbar/open?op`=get` URI. |
Affected by 24 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 31 other vulnerabilities. |
|
VCID-srrc-wxew-1fc6
Aliases: CVE-2014-4931 GHSA-wfv7-5x33-v22h |
Code Injection Code injection in the way Symfony implements translation caching in FrameworkBundle. |
Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-thtp-ehsj-t3ej
Aliases: CVE-2022-24895 GHSA-3gv2-29qc-v67m GMS-2023-210 GMS-2023-211 |
Duplicate This advisory duplicates another. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-u84h-sr6a-4uc7
Aliases: 2012-11-29 |
Information Exposure Request::getClientIp() when the trust proxy mode is enabled. |
Affected by 30 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
VCID-unuf-vj1b-qbhr
Aliases: 2012-08-28 |
Improper Restriction of XML External Entity Reference Security fixes related to the way XML is handled in symfony. |
Affected by 34 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-wwhm-mrr3-v7h3
Aliases: CVE-2015-2309 GHSA-p684-f7fh-jv2j |
Unsafe methods in the Request class The `Symfony\Component\HttpFoundation\Request` class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server. The following methods are impacted: `getPort()`, `isSecure()`, `getHost()` and `getClientIps()`. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-xmur-ps51-myfu
Aliases: GHSA-hx53-jchx-cr52 |
Symfony2 improper IP based access control Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()). An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control. To fix this security issue, the following changes have been made to all versions of Symfony2: A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument: ``` // before (probably in your front controller script) Request::trustProxyData(); ``` ``` // after Request::setTrustedProxies(array('1.1.1.1')); // 1.1.1.1 being the IP address of a trusted reverse proxy ``` The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address): ``` Request::trustProxyData(); ``` ``` // is equivalent to Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR'))); ``` We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches: [Patch](https://github.com/symfony/symfony/compare/fc89d6b...9ce892c.patch) for Symfony 2.0.19 [Patch](https://github.com/symfony/symfony/compare/922c201...e5536f0.patch) for Symfony 2.1.4 |
Affected by 30 other vulnerabilities. Affected by 29 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||