GHSA-mcx4-f5f5-4859

Suggest an improvement
Source
https://github.com/advisories/GHSA-mcx4-f5f5-4859
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-mcx4-f5f5-4859/GHSA-mcx4-f5f5-4859.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mcx4-f5f5-4859
Aliases
Related
Published
2020-03-30T20:09:16Z
Modified
2024-02-16T08:11:40.957199Z
Severity
  • 2.6 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
Summary
Prevent cache poisoning via a Response Content-Type header in Symfony
Details

Description

When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.

Resolution

Symfony does not use the Accept header anymore to guess the Content-Type.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

Database specific 
{
    "severity": "LOW",
    "nvd_published_at": null,
    "github_reviewed_at": "2020-03-30T19:28:58Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-435"
    ]
}
References

Affected packages

Packagist / symfony/http-foundation

Package

Name
symfony/http-foundation
Purl
pkg:composer/symfony/http-foundation

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.4.7

Affected versions

v4.*

v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6

Packagist / symfony/http-foundation

Package

Name
symfony/http-foundation
Purl
pkg:composer/symfony/http-foundation

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.7

Affected versions

v5.*

v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6

Packagist / symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.4.0
Fixed
4.4.7

Affected versions

v4.*

v4.4.0
v4.4.1
v4.4.2
v4.4.3
v4.4.4
v4.4.5
v4.4.6

Packagist / symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0
Fixed
5.0.7

Affected versions

v5.*

v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6