VulnerableCode Package Details - pkg:composer/symfony/symfony@4.3.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-267p-fu2q-hyd1 Aliases: CVE-2024-50342 GHSA-9c3x-r3wp-mgxm	Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.	5.4.47 Affected by 0 other vulnerabilities. 6.4.15 Affected by 0 other vulnerabilities. 7.1.8 Affected by 0 other vulnerabilities.
VCID-2gr1-yfyf-47f1 Aliases: CVE-2020-15094 GHSA-754h-5r27-7x3r	RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.	4.4.13 Affected by 0 other vulnerabilities. 5.1.5 Affected by 0 other vulnerabilities.
VCID-718a-9ndd-syex Aliases: CVE-2019-18888 GHSA-xhh6-956q-4q69	Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).	4.3.8 Affected by 0 other vulnerabilities.
VCID-cejg-3hqv-kbfd Aliases: CVE-2019-18886 GHSA-4vpc-5jx4-cfqg	User enumeration leak using switch user functionality in Symfony An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.	4.3.8 Affected by 0 other vulnerabilities.
VCID-qr3v-jkjd-qfb1 Aliases: CVE-2019-18889 GHSA-79gr-58r3-pwm3	Symfony Unsafe Cache Serialization Could Enable RCE An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.	4.3.8 Affected by 0 other vulnerabilities.
VCID-s3ep-tgah-aud1 Aliases: CVE-2019-18887 GHSA-q8hg-pf8v-cxrv	Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.	4.3.8 Affected by 0 other vulnerabilities.
VCID-xckj-7eww-e3g4 Aliases: CVE-2019-11325 GHSA-w4rc-rx25-8m86	Improper Input Validation in Symfony An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter.	4.3.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-267p-fu2q-hyd1
Aliases:
CVE-2024-50342
GHSA-9c3x-r3wp-mgxm

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

5.4.47
Affected by 0 other vulnerabilities.

6.4.15
Affected by 0 other vulnerabilities.

7.1.8
Affected by 0 other vulnerabilities.

VCID-2gr1-yfyf-47f1
Aliases:
CVE-2020-15094
GHSA-754h-5r27-7x3r

RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

4.4.13
Affected by 0 other vulnerabilities.

5.1.5
Affected by 0 other vulnerabilities.

VCID-718a-9ndd-syex
Aliases:
CVE-2019-18888
GHSA-xhh6-956q-4q69

Argument injection in a MimeTypeGuesser in Symfony An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x).