GHSA-qmqw-mpqp-mr54

Source

https://github.com/advisories/GHSA-qmqw-mpqp-mr54

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qmqw-mpqp-mr54/GHSA-qmqw-mpqp-mr54.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qmqw-mpqp-mr54

Aliases

CVE-2015-4050

Published

2022-05-17T03:11:51Z

Modified

2024-12-05T05:42:42.499490Z

Summary

Symfony Incorrect Access Control

Details

FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.

This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore.

Database specific

{
    "nvd_published_at": "2015-06-02T14:59:00Z",
    "cwe_ids": [
        "CWE-284"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T21:47:36Z"
}

References

Affected packages

Packagist / symfony/http-kernel

Package

Name: symfony/http-kernel
Purl: pkg:composer/symfony/http-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.19

Fixed

2.3.29

Affected versions

v2.*

v2.3.19

v2.3.20

v2.3.21

v2.3.22

v2.3.23

v2.3.24

v2.3.25

v2.3.26

v2.3.27

v2.3.28

Packagist / symfony/http-kernel

Package

Name: symfony/http-kernel
Purl: pkg:composer/symfony/http-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.4

Fixed

2.5.12

Affected versions

v2.*

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.5.10

v2.5.11

Packagist / symfony/http-kernel

Package

Name: symfony/http-kernel
Purl: pkg:composer/symfony/http-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.0

Fixed

2.6.8

Affected versions

v2.*

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.19

Fixed

2.3.29

Affected versions

v2.*

v2.3.19

v2.3.20

v2.3.21

v2.3.22

v2.3.23

v2.3.24

v2.3.25

v2.3.26

v2.3.27

v2.3.28

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.9

Last affected

2.4.10

Affected versions

v2.*

v2.4.9

v2.4.10

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.5.4

Fixed

2.5.12

Affected versions

v2.*

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.5.10

v2.5.11

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.6.0

Fixed

2.6.8

Affected versions

v2.*

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

Packagist / symfony/http-kernel

Package

Name: symfony/http-kernel
Purl: pkg:composer/symfony/http-kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.9

Last affected

2.4.10

Affected versions

v2.*

v2.4.9

v2.4.10