VulnerableCode Package Details - pkg:composer/symfony/symfony@2.1.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hk4p-rd5x-xqaw	Information Exposure Request::getClientIp() when the trust proxy mode is enabled.	2012-11-29
VCID-wh8p-snsf-u7es	Symfony2 improper IP based access control Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()). An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control. To fix this security issue, the following changes have been made to all versions of Symfony2: A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument: ``` // before (probably in your front controller script) Request::trustProxyData(); ``` ``` // after Request::setTrustedProxies(array('1.1.1.1')); // 1.1.1.1 being the IP address of a trusted reverse proxy ``` The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address): ``` Request::trustProxyData(); ``` ``` // is equivalent to Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR'))); ``` We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches: [Patch](https://github.com/symfony/symfony/compare/fc89d6b...9ce892c.patch) for Symfony 2.0.19 [Patch](https://github.com/symfony/symfony/compare/922c201...e5536f0.patch) for Symfony 2.1.4	GHSA-hx53-jchx-cr52
VCID-yhd4-n2m1-wueq	Symfony2 security issue when the trust proxy mode is enabled An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control. To fix this security issue, the following changes have been made to all versions of Symfony2: A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument: ``` // before (probably in your front controller script) Request::trustProxyData(); // after Request::setTrustedProxies(array('1.1.1.1')); // 1.1.1.1 being the IP address of a trusted reverse proxy ``` The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address): ``` Request::trustProxyData(); // is equivalent to Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR'))); ``` We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches: - [Patch](https://github.com/symfony/symfony/compare/fc89d6b...9ce892c.patch) for Symfony 2.0.19 - [Patch](https://github.com/symfony/symfony/compare/922c201...e5536f0.patch) for Symfony 2.1.4	GHSA-vfm6-r2gc-pwww

Vulnerability

Summary

Aliases

VCID-hk4p-rd5x-xqaw

Information Exposure Request::getClientIp() when the trust proxy mode is enabled.

2012-11-29

VCID-wh8p-snsf-u7es

Symfony2 improper IP based access control Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()). An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control. To fix this security issue, the following changes have been made to all versions of Symfony2: A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument: ``` // before (probably in your front controller script) Request::trustProxyData(); ``` ``` // after Request::setTrustedProxies(array('1.1.1.1')); // 1.1.1.1 being the IP address of a trusted reverse proxy ``` The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address): ``` Request::trustProxyData(); ``` ``` // is equivalent to Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR'))); ``` We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches: [Patch](https://github.com/symfony/symfony/compare/fc89d6b...9ce892c.patch) for Symfony 2.0.19 [Patch](https://github.com/symfony/symfony/compare/922c201...e5536f0.patch) for Symfony 2.1.4

GHSA-hx53-jchx-cr52

VCID-yhd4-n2m1-wueq

Symfony2 security issue when the trust proxy mode is enabled An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control. To fix this security issue, the following changes have been made to all versions of Symfony2: A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument: ``` // before (probably in your front controller script) Request::trustProxyData(); // after Request::setTrustedProxies(array('1.1.1.1')); // 1.1.1.1 being the IP address of a trusted reverse proxy ``` The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address): ``` Request::trustProxyData(); // is equivalent to Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR'))); ``` We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches: - [Patch](https://github.com/symfony/symfony/compare/fc89d6b...9ce892c.patch) for Symfony 2.0.19 - [Patch](https://github.com/symfony/symfony/compare/922c201...e5536f0.patch) for Symfony 2.1.4

GHSA-vfm6-r2gc-pwww

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-01T18:09:55.555755+00:00	GitLab Importer	Fixing	VCID-hk4p-rd5x-xqaw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/symfony/2012-11-29.yml	36.1.3
2025-07-01T14:35:01.228794+00:00	GHSA Importer	Fixing	VCID-wh8p-snsf-u7es	https://github.com/advisories/GHSA-hx53-jchx-cr52	36.1.3
2025-07-01T14:35:00.620511+00:00	GHSA Importer	Fixing	VCID-yhd4-n2m1-wueq	https://github.com/advisories/GHSA-vfm6-r2gc-pwww	36.1.3
2025-07-01T12:11:36.349911+00:00	GithubOSV Importer	Fixing	VCID-yhd4-n2m1-wueq	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-vfm6-r2gc-pwww/GHSA-vfm6-r2gc-pwww.json	36.1.3
2025-07-01T12:11:29.270395+00:00	GithubOSV Importer	Fixing	VCID-wh8p-snsf-u7es	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-hx53-jchx-cr52/GHSA-hx53-jchx-cr52.json	36.1.3