cnvd - cnvd-2018-21473

cnvd-2018-21473

Vulnerability from cnvd

Title: Sensio Labs Symfony安全绕过漏洞（CNVD-2018-21473）

Description:

Sensio Labs Symfony是法国Sensio Labs公司的一套免费的、基于MVC架构的PHP开发框架。该框架提供常用的功能组件及工具，可用于快速创建复杂的WEB程序。

Sensio Labs Symfony中的Http Foundation存在安全绕过漏洞，攻击者可通过提交特制的‘X-Original-URL’或‘X-Rewrite-URL’HTTP包头值利用该漏洞绕过安全限制，执行未授权的限制。

Severity: 中

Patch Name: Sensio Labs Symfony安全绕过漏洞（CNVD-2018-21473）的补丁

Patch Description:

Sensio Labs Symfony是法国Sensio Labs公司的一套免费的、基于MVC架构的PHP开发框架。该框架提供常用的功能组件及工具，可用于快速创建复杂的WEB程序。

Sensio Labs Symfony中的Http Foundation存在安全绕过漏洞，攻击者可通过提交特制的‘X-Original-URL’或‘X-Rewrite-URL’HTTP包头值利用该漏洞绕过安全限制，执行未授权的限制。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers

Reference: http://www.securityfocus.com/bid/104943 http://www.securitytracker.com/id/1041405 https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers https://www.drupal.org/SA-CORE-2018-005

Impacted products

Name
['Sensio Labs Symfony >=2.7.0，<=2.7.48', 'Sensio Labs Symfony >=2.8.0，<=2.8.43', 'Sensio Labs Symfony >=3.3.0，<=3.3.17', 'Sensio Labs Symfony >=3.4.0，<=3.4.13', 'Sensio Labs Symfony >=4.0.0，<=4.0.13', 'Sensio Labs Symfony >=4.1.0，<=4.1.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2018-14773"
    }
  },
  "description": "Sensio Labs Symfony\u662f\u6cd5\u56fdSensio Labs\u516c\u53f8\u7684\u4e00\u5957\u514d\u8d39\u7684\u3001\u57fa\u4e8eMVC\u67b6\u6784\u7684PHP\u5f00\u53d1\u6846\u67b6\u3002\u8be5\u6846\u67b6\u63d0\u4f9b\u5e38\u7528\u7684\u529f\u80fd\u7ec4\u4ef6\u53ca\u5de5\u5177\uff0c\u53ef\u7528\u4e8e\u5feb\u901f\u521b\u5efa\u590d\u6742\u7684WEB\u7a0b\u5e8f\u3002\r\n\r\nSensio Labs Symfony\u4e2d\u7684Http Foundation\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63d0\u4ea4\u7279\u5236\u7684\u2018X-Original-URL\u2019\u6216\u2018X-Rewrite-URL\u2019HTTP\u5305\u5934\u503c\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u6267\u884c\u672a\u6388\u6743\u7684\u9650\u5236\u3002",
  "discovererName": "James Kettle",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2018-21473",
  "openTime": "2018-10-19",
  "patchDescription": "Sensio Labs Symfony\u662f\u6cd5\u56fdSensio Labs\u516c\u53f8\u7684\u4e00\u5957\u514d\u8d39\u7684\u3001\u57fa\u4e8eMVC\u67b6\u6784\u7684PHP\u5f00\u53d1\u6846\u67b6\u3002\u8be5\u6846\u67b6\u63d0\u4f9b\u5e38\u7528\u7684\u529f\u80fd\u7ec4\u4ef6\u53ca\u5de5\u5177\uff0c\u53ef\u7528\u4e8e\u5feb\u901f\u521b\u5efa\u590d\u6742\u7684WEB\u7a0b\u5e8f\u3002\r\n\r\nSensio Labs Symfony\u4e2d\u7684Http Foundation\u5b58\u5728\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63d0\u4ea4\u7279\u5236\u7684\u2018X-Original-URL\u2019\u6216\u2018X-Rewrite-URL\u2019HTTP\u5305\u5934\u503c\u5229\u7528\u8be5\u6f0f\u6d1e\u7ed5\u8fc7\u5b89\u5168\u9650\u5236\uff0c\u6267\u884c\u672a\u6388\u6743\u7684\u9650\u5236\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sensio Labs Symfony\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2018-21473\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Sensio Labs Symfony \u003e=2.7.0\uff0c\u003c=2.7.48",
      "Sensio Labs Symfony \u003e=2.8.0\uff0c\u003c=2.8.43",
      "Sensio Labs Symfony \u003e=3.3.0\uff0c\u003c=3.3.17",
      "Sensio Labs Symfony \u003e=3.4.0\uff0c\u003c=3.4.13",
      "Sensio Labs Symfony \u003e=4.0.0\uff0c\u003c=4.0.13",
      "Sensio Labs Symfony \u003e=4.1.0\uff0c\u003c=4.1.2"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/bid/104943\r\nhttp://www.securitytracker.com/id/1041405\r\nhttps://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b\r\nhttps://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers\r\nhttps://www.drupal.org/SA-CORE-2018-005",
  "serverity": "\u4e2d",
  "submitTime": "2018-08-07",
  "title": "Sensio Labs Symfony\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\uff08CNVD-2018-21473\uff09"
}

CVE-2018-14773 (GCVE-0-2018-14773)

Vulnerability from cvelistv5

Published

2018-08-03 17:00

Modified

2024-08-05 09:38

Severity ?

CWE

Summary

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/104943	vdb-entry, x_refsource_BID
	https://www.drupal.org/SA-CORE-2018-005	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html	mailing-list, x_refsource_MLIST
	https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers	x_refsource_CONFIRM
	https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1041405	vdb-entry, x_refsource_SECTRACK
	https://www.debian.org/security/2019/dsa-4441	vendor-advisory, x_refsource_DEBIAN
	https://seclists.org/bugtraq/2019/May/21	mailing-list, x_refsource_BUGTRAQ

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T09:38:13.839Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "104943",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/104943"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://www.drupal.org/SA-CORE-2018-005"
          },
          {
            "name": "[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b"
          },
          {
            "name": "1041405",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1041405"
          },
          {
            "name": "DSA-4441",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2019/dsa-4441"
          },
          {
            "name": "20190510 [SECURITY] [DSA 4441-1] symfony security update",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "https://seclists.org/bugtraq/2019/May/21"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-08-01T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it\u0027s not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-05-10T15:06:07",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "104943",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/104943"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://www.drupal.org/SA-CORE-2018-005"
        },
        {
          "name": "[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b"
        },
        {
          "name": "1041405",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1041405"
        },
        {
          "name": "DSA-4441",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2019/dsa-4441"
        },
        {
          "name": "20190510 [SECURITY] [DSA 4441-1] symfony security update",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "https://seclists.org/bugtraq/2019/May/21"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-14773",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it\u0027s not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \\Symfony\\Component\\HttpFoundation\\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "104943",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/104943"
            },
            {
              "name": "https://www.drupal.org/SA-CORE-2018-005",
              "refsource": "CONFIRM",
              "url": "https://www.drupal.org/SA-CORE-2018-005"
            },
            {
              "name": "[debian-lts-announce] 20190310 [SECURITY] [DLA 1707-1] symfony security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html"
            },
            {
              "name": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers",
              "refsource": "CONFIRM",
              "url": "https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b",
              "refsource": "CONFIRM",
              "url": "https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b"
            },
            {
              "name": "1041405",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1041405"
            },
            {
              "name": "DSA-4441",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2019/dsa-4441"
            },
            {
              "name": "20190510 [SECURITY] [DSA 4441-1] symfony security update",
              "refsource": "BUGTRAQ",
              "url": "https://seclists.org/bugtraq/2019/May/21"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-14773",
    "datePublished": "2018-08-03T17:00:00",
    "dateReserved": "2018-07-31T00:00:00",
    "dateUpdated": "2024-08-05T09:38:13.839Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted