Fluid Attacks Database

Description

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain. The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	symfony	=4.4.19+dfsg-2 \|\| =4.4.19+dfsg-2+deb11u1 \|\| =4.4.19+dfsg-2+deb11u2 \|\| =4.4.19+dfsg-2+deb11u3 \|\| =4.4.19+dfsg-2+deb11u4 \|\| =4.4.19+dfsg-2+deb11u5 \|\| =4.4.19+dfsg-2+deb11u6 \|\| >=0 <4.4.19+dfsg-2+deb11u7	4.4.19+dfsg-2+deb11u7
debian 12	symfony	=5.4.23+dfsg-1 \|\| =5.4.23+dfsg-1+deb12u1 \|\| =5.4.23+dfsg-1+deb12u2 \|\| >=0 <5.4.23+dfsg-1+deb12u3	5.4.23+dfsg-1+deb12u3
debian 13	symfony	>=0 <6.4.14+dfsg-1	6.4.14+dfsg-1
packagist	symfony/http-foundation	>=0 <5.4.46 \|\| >=6.0.0 <6.4.14 \|\| >=7.0.0 <7.1.7	5.4.46, 6.4.14, 7.1.7
packagist	symfony/symfony	>=0 <5.4.46 \|\| >=6.0.0 <6.4.14 \|\| >=7.0.0 <7.1.7	5.4.46, 6.4.14, 7.1.7
debian 14	symfony	>=0 <6.4.14+dfsg-1	6.4.14+dfsg-1

Aliases

1. CVE-2024-503452. NVD-2024-503453. OSV-DEBIAN-2024-503454. OSV-2024-503455. GHSA-mrqx-rp3w-jpjp6. GCVE-2024-503457. SECURITY-TRACKER-CVE-2024-503458. lists.debian.org9. GHSA-mrqx-rp3w-jpjp10. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml11. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml12. SYMFONY-cve-2024-50345

References

1. https://github.com/symfony/symfony/security/advisories/GHSA-mrqx-rp3w-jpjp2. https://github.com/symfony/symfony/commit/5a9b08e5740af795854b1b639b7d45b9cbfe88193. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2024-50345.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50345.yaml5. https://symfony.com/cve-2024-503456. https://url.spec.whatwg.org7. https://github.com/symfony/symfony

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.