BIT-symfony-2021-41267

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/symfony/BIT-symfony-2021-41267.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-symfony-2021-41267
Aliases
Published
2024-03-06T11:07:55.104Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trustedheaders" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the "trustedheaders" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the X-Forwarded-Prefix header is not forwarded to subrequests when it is not trusted.

References

Affected packages

Bitnami / symfony

Package

Name
symfony
Purl
pkg:bitnami/symfony

Severity

  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
5.2.0
Fixed
5.3.12