CVE-2018-14773

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-14773

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14773.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-14773

Aliases

GHSA-8wgj-6wx8-h5hq

Related

Published

2018-08-03T17:29:00Z

Modified

2024-09-18T02:57:46.299897Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and XREWRITEURL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

References

Affected packages

Debian:11 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.14+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.14+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.14+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/drupal/drupal

Affected ranges

Type: GIT
Repo: https://github.com/drupal/drupal
Events: Introduced

35c2f3ca5c935f3d8bde15932a712677c9bbd50f

Fixed

37126ee7072e91debe8ad359add4b711d2b97e29

Type: GIT
Repo: https://github.com/symfony/symfony
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e447e8b92148ddb3d1956b96638600ec95e08f6b

Affected versions

8.*

8.0.0

8.1.0-beta1

8.5.0

8.5.0-alpha1

8.5.0-beta1

8.5.0-rc1

8.5.1

8.5.2

8.5.3

8.5.4

8.5.5

v2.*

v2.0.0

v2.0.0-RC1

v2.0.0-RC2

v2.0.0-RC3

v2.0.0-RC4

v2.0.0-RC5

v2.0.0-RC6

v2.0.0BETA1

v2.0.0BETA2

v2.0.0BETA3

v2.0.0BETA4

v2.0.0BETA5

v2.0.0PR8

v2.0.1

v2.0.10

v2.0.11

v2.0.12

v2.0.13

v2.0.14

v2.0.15

v2.0.16

v2.0.17

v2.0.18

v2.0.19

v2.0.2

v2.0.20

v2.0.21

v2.0.22

v2.0.23

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.0-BETA1

v2.1.0-BETA2

v2.1.0-BETA3

v2.1.0-BETA4

v2.1.0-RC1

v2.1.0-RC2

v2.1.1

v2.1.10

v2.1.11

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.0-BETA1

v2.2.0-BETA2

v2.2.0-RC1

v2.2.0-RC2

v2.2.0-RC3

v2.2.1

v2.2.10

v2.2.11

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.0-BETA1

v2.3.0-BETA2

v2.3.0-RC1

v2.3.1

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.15

v2.3.16

v2.3.17

v2.3.18

v2.3.19

v2.3.2

v2.3.20

v2.3.21

v2.3.22

v2.3.23

v2.3.24

v2.3.25

v2.3.26

v2.3.27

v2.3.28

v2.3.29

v2.3.3

v2.3.30

v2.3.31

v2.3.32

v2.3.33

v2.3.34

v2.3.35

v2.3.36

v2.3.37

v2.3.38

v2.3.39

v2.3.4

v2.3.40

v2.3.41

v2.3.42

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

v2.4.0-BETA1

v2.4.0-BETA2

v2.4.0-RC1

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.5.0

v2.5.0-BETA1

v2.5.0-BETA2

v2.5.0-RC1

v2.5.1

v2.5.10

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.6.0

v2.6.0-BETA1

v2.6.0-BETA2

v2.6.1

v2.6.10

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.7.0

v2.7.0-BETA1

v2.7.0-BETA2

v2.7.1

v2.7.10

v2.7.11

v2.7.12

v2.7.13

v2.7.14

v2.7.15

v2.7.16

v2.7.17

v2.7.18

v2.7.19

v2.7.2

v2.7.20

v2.7.21

v2.7.22

v2.7.23

v2.7.24

v2.7.25

v2.7.26

v2.7.27

v2.7.28

v2.7.29

v2.7.3

v2.7.30

v2.7.31

v2.7.32

v2.7.33

v2.7.34

v2.7.35

v2.7.36

v2.7.37

v2.7.38

v2.7.39

v2.7.4

v2.7.40

v2.7.41

v2.7.42

v2.7.43

v2.7.44

v2.7.45

v2.7.46

v2.7.47

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.0-BETA1

v2.8.1

v2.8.10

v2.8.11

v2.8.12

v2.8.13

v2.8.14

v2.8.15

v2.8.16

v2.8.17

v2.8.18

v2.8.19

v2.8.2

v2.8.20

v2.8.21

v2.8.22

v2.8.23

v2.8.24

v2.8.25

v2.8.26

v2.8.27

v2.8.28

v2.8.29

v2.8.3

v2.8.30

v2.8.31

v2.8.32

v2.8.33

v2.8.34

v2.8.35

v2.8.36

v2.8.37

v2.8.38

v2.8.39

v2.8.4

v2.8.40

v2.8.41

v2.8.42

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v2.8.9

Other

vPR10

vPR11

vPR12

vPR3

vPR4

vPR5

vPR6

vPR8

vPR9