GHSA-66p6-7p29-55p9

Source

https://github.com/advisories/GHSA-66p6-7p29-55p9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-66p6-7p29-55p9/GHSA-66p6-7p29-55p9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-66p6-7p29-55p9

Aliases

CVE-2018-14774

Published

2022-05-14T02:20:59Z

Modified

2024-02-16T08:17:36.181256Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Symfony Host Header Injection

Details

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

Database specific

{
    "nvd_published_at": "2018-08-03T17:29:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-25T19:14:01Z"
}

References

Affected packages

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.49

Affected versions

v2.*

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.7.10

v2.7.11

v2.7.12

v2.7.13

v2.7.14

v2.7.15

v2.7.16

v2.7.17

v2.7.18

v2.7.19

v2.7.20

v2.7.21

v2.7.22

v2.7.23

v2.7.24

v2.7.25

v2.7.26

v2.7.27

v2.7.28

v2.7.29

v2.7.30

v2.7.31

v2.7.32

v2.7.33

v2.7.34

v2.7.35

v2.7.36

v2.7.37

v2.7.38

v2.7.39

v2.7.40

v2.7.41

v2.7.42

v2.7.43

v2.7.44

v2.7.45

v2.7.46

v2.7.47

v2.7.48

Database specific

{
    "last_known_affected_version_range": "<= 2.7.48"
}

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0

Fixed

2.8.44

Affected versions

v2.*

v2.8.0

v2.8.1

v2.8.2

v2.8.3

v2.8.4

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v2.8.9

v2.8.10

v2.8.11

v2.8.12

v2.8.13

v2.8.14

v2.8.15

v2.8.16

v2.8.17

v2.8.18

v2.8.19

v2.8.20

v2.8.21

v2.8.22

v2.8.23

v2.8.24

v2.8.25

v2.8.26

v2.8.27

v2.8.28

v2.8.29

v2.8.30

v2.8.31

v2.8.32

v2.8.33

v2.8.34

v2.8.35

v2.8.36

v2.8.37

v2.8.38

v2.8.39

v2.8.40

v2.8.41

v2.8.42

v2.8.43

Database specific

{
    "last_known_affected_version_range": "<= 2.8.43"
}

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.3.0

Fixed

3.3.18

Affected versions

v3.*

v3.3.0

v3.3.1

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

v3.3.10

v3.3.11

v3.3.12

v3.3.13

v3.3.14

v3.3.15

v3.3.16

v3.3.17

Database specific

{
    "last_known_affected_version_range": "<= 3.3.17"
}

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.4.0

Fixed

3.4.14

Affected versions

v3.*

v3.4.0

v3.4.1

v3.4.2

v3.4.3

v3.4.4

v3.4.5

v3.4.6

v3.4.7

v3.4.8

v3.4.9

v3.4.10

v3.4.11

v3.4.12

v3.4.13

Database specific

{
    "last_known_affected_version_range": "<= 3.4.13"
}

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.14

Affected versions

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.9

v4.0.10

v4.0.11

v4.0.12

v4.0.13

Database specific

{
    "last_known_affected_version_range": "<= 4.0.13"
}

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.1.3

Affected versions

v4.*

v4.1.0

v4.1.1

v4.1.2

Database specific

{
    "last_known_affected_version_range": "<= 4.1.2"
}