CVE-2020-15094 - In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony

CVE-2020-15094

Summary

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

References

Vulnerable Configurations

cpe:2.3:a:sensiolabs:httpclient:5.1.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.4:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:5.1.4:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:beta2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:beta2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.9:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.9:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.10:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.10:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.11:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.11:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.12:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:4.4.12:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:beta2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:beta2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.4:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.5:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.6:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.7:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.8:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.9:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.9:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.10:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.10:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.11:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.11:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.12:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:4.4.12:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:-:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:beta1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:rc1:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.0:rc2:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.1:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.2:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.3:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.4:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:5.1.4:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

CVSS

Base:	7.5 (as of 24-01-2023 - 02:07)
Impact:
Exploitability:

CWE

CWE-212

CAPEC

Windows ::DATA Alternate Data Stream
An attacker exploits the functionality of Microsoft NTFS Alternate Data Streams (ADS) to undermine system security. ADS allows multiple "files" to be stored in one directory entry referenced as filename:streamname. One or more alternate data streams may be stored in any file or directory. Normal Microsoft utilities do not show the presence of an ADS stream attached to a file. The additional space for the ADS is not recorded in the displayed file size. The additional space for ADS is accounted for in the used space on the volume. An ADS can be any type of file. ADS are copied by standard Microsoft utilities between NTFS volumes. ADS can be used by an attacker or intruder to hide tools, scripts, and data from detection by normal system utilities. Many anti-virus programs do not check for or scan ADS. Windows Vista does have a switch (-R) on the command line DIR command that will display alternate streams.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	PARTIAL	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:P/A:P

refmap via4

confirm	https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r
fedora	FEDORA-2020-16eb328853 FEDORA-2020-1c549262f1
misc	https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78 https://packagist.org/packages/symfony/http-kernel https://packagist.org/packages/symfony/symfony

Last major update

24-01-2023 - 02:07

Published

02-09-2020 - 18:15

Last modified

24-01-2023 - 02:07