CVE-2024-50342 – symfony/http-client

Package

Manager: composer
Name: symfony/http-client
Vulnerable Version: >=4.3.0 <5.4.47 || >=6.0.0 <6.4.15 || >=7.0.0 <7.1.8

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00032 pctl0.07607

Details

Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient ### Description When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. ### Resolution The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4. The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also. ### Credits We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

Metadata

Created: 2024-11-06T15:16:09Z
Modified: 2024-11-13T18:51:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-9c3x-r3wp-mgxm/GHSA-9c3x-r3wp-mgxm.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-9c3x-r3wp-mgxm
Finding: F038
Auto approve: 1