CVE-2015-4050
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2015-4050
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2015-4050.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2015-4050
- Aliases
- Related
- Published
- 2015-06-02T14:59:12Z
- Modified
- 2024-09-18T01:00:20Z
- Summary
- [none]
- Details
-
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /fragment.
- References
-
- http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access
- http://www.debian.org/security/2015/dsa-3276
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
- http://www.securityfocus.com/bid/74928
- https://security-tracker.debian.org/tracker/CVE-2015-4050
Affected packages
Debian:11 / symfony
Package
- Name
- symfony
- Purl
- pkg:deb/debian/symfony?arch=source
Debian:12 / symfony
Package
- Name
- symfony
- Purl
- pkg:deb/debian/symfony?arch=source
Debian:13 / symfony
Package
- Name
- symfony
- Purl
- pkg:deb/debian/symfony?arch=source