CVE-2018-14774

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-14774
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14774.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-14774
Aliases
Downstream
Published
2018-08-03T17:29:00.347Z
Modified
2026-03-10T14:33:22.829347Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
9975b1eca3de4db792a2c3e4e16f676a4aadcd46
Last affected
34d6116e2b80351c5a6f591285a4e9381b0dd127
Introduced
5615b92cd452cd54f1433a3f53de87c096a1107f
Last affected
e7f50768f107fa951f4c80dc447b893502cf2e89
Introduced
5a7e31c48e7cd4831efa409fffb661beb9995174
Last affected
4639525c796227ec36652ad97192a5eb3de74f76
Introduced
0a47db379b8cc74cdd84e1e6870fafc4a4ac8351
Last affected
c406c5a4f11fc00b60d3ec585125350418c4568d
Introduced
26ca7023b1c45dce951da7206ed70049267d27bc
Last affected
b2fc878468756fbfac367a48a1060bbf3974e9be
Introduced
58261043876feb695640457c5675bb331a6eb3b7
Last affected
c42cc18492fe7bbfc507822ac62e3179a6518d71
Fixed
725dee4cd8b4ccd52e335ae4b4522242cea9bd4a
Database specific 
{
    "versions": [
        {
            "introduced": "2.7.0"
        },
        {
            "last_affected": "2.7.48"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "last_affected": "2.8.43"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "last_affected": "3.3.17"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "last_affected": "3.4.13"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.0.13"
        },
        {
            "introduced": "4.1.0"
        },
        {
            "last_affected": "4.1.2"
        }
    ]
}

Affected versions

v2.*
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.40
v2.3.41
v2.3.42
v2.6.10
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.38
v2.7.39
v2.7.4
v2.7.40
v2.7.41
v2.7.42
v2.7.43
v2.7.44
v2.7.45
v2.7.46
v2.7.47
v2.7.48
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.0-BETA1
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.16
v2.8.17
v2.8.18
v2.8.19
v2.8.2
v2.8.20
v2.8.21
v2.8.22
v2.8.23
v2.8.24
v2.8.25
v2.8.26
v2.8.27
v2.8.28
v2.8.29
v2.8.3
v2.8.30
v2.8.31
v2.8.32
v2.8.33
v2.8.34
v2.8.35
v2.8.36
v2.8.37
v2.8.38
v2.8.39
v2.8.4
v2.8.40
v2.8.41
v2.8.42
v2.8.43
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v3.*
v3.0.0
v3.0.0-BETA1
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.1.0
v3.1.0-BETA1
v3.1.0-RC1
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.0-BETA1
v3.2.0-RC1
v3.2.0-RC2
v3.2.1
v3.2.10
v3.2.11
v3.2.12
v3.2.13
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6
v3.2.7
v3.2.8
v3.2.9
v3.3.0
v3.3.0-BETA1
v3.3.0-RC1
v3.3.1
v3.3.10
v3.3.11
v3.3.12
v3.3.13
v3.3.14
v3.3.15
v3.3.16
v3.3.17
v3.3.2
v3.3.3
v3.3.4
v3.3.5
v3.3.6
v3.3.7
v3.3.8
v3.3.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14774.json"