CVE-2024-50345 – symfony/http-foundation

Package

Manager: composer
Name: symfony/http-foundation
Vulnerable Version: >=0 <5.4.46 || >=6.0.0 <6.4.14 || >=7.0.0 <7.1.7

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0012 pctl0.317

Details

Symfony vulnerable to open redirect via browser-sanitized URLs ### Description The `Request` class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the `Request` class to redirect users to another domain. ### Resolution The `Request::create` methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/ The patch for this issue is available [here](https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe8819) for branch 5.4. ### Credits We would like to thank Sam Mush - IPASSLab && ZGC Lab for reporting the issue and Nicolas Grekas for providing the fix.

Metadata

Created: 2024-11-06T15:22:09Z
Modified: 2024-11-12T21:11:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-mrqx-rp3w-jpjp/GHSA-mrqx-rp3w-jpjp.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-mrqx-rp3w-jpjp
Finding: F007
Auto approve: 1