CVE-2020-15094 – symfony/http-kernel

Package

Manager: composer
Name: symfony/http-kernel
Vulnerable Version: >=4.3.0 <4.4.13 || >=5.0.0 <5.1.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.02248 pctl0.83946

Details

RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

Metadata

Created: 2020-09-02T17:29:56Z
Modified: 2023-01-24T18:07:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-754h-5r27-7x3r/GHSA-754h-5r27-7x3r.json
CWE IDs: ["CWE-212"]
Alternative ID: GHSA-754h-5r27-7x3r
Finding: F082
Auto approve: 1