Fluid Attacks Database

Description

Symfony Host Header Injection An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	symfony	>=0 <3.4.14+dfsg-1	3.4.14+dfsg-1
packagist	symfony/symfony	>=2.7.0 <2.7.49 \|\| >=2.8.0 <2.8.44 \|\| >=3.3.0 <3.3.18 \|\| >=3.4.0 <3.4.14 \|\| >=4.0.0 <4.0.14 \|\| >=4.1.0 <4.1.3	2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, 4.1.3
debian 11	symfony	>=0 <3.4.14+dfsg-1	3.4.14+dfsg-1
debian 12	symfony	>=0 <3.4.14+dfsg-1	3.4.14+dfsg-1
debian 14	symfony	>=0 <3.4.14+dfsg-1	3.4.14+dfsg-1

Aliases

1. CVE-2018-147742. NVD-2018-147743. OSV-DEBIAN-2018-147744. OSV-2018-147745. GCVE-2018-147746. SECURITY-TRACKER-CVE-2018-14774

References

1. https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a2. https://github.com/symfony/symfony/commit/7f912bbb78377c2ea331b3da28363435fbd913373. https://github.com/symfony/symfony/commit/96504fb8c9f91204727d2930eb837473ce1549564. https://github.com/symfony/symfony/commit/974240e178bb01d734bf1df1ad5c3beba6a2f9825. https://github.com/symfony/symfony/commit/9cfcaba0bf71f87683510b5f47ebaac5f5d6a5ba6. https://github.com/symfony/symfony/commit/bcf5897bb1a99d4acae8bf7b73e81bfdeaac09227. https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache