Main Vulnerability Database Vulnerabilities #VU14165

Support for legacy HTTP methods in Symfony - CVE-2018-14773

Published: August 1, 2018

Vulnerability identifier: #VU14165

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-14773

CWE-ID: CWE-749

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SensioLabs

Affected software:
Symfony

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to Symfony HttpFoundation component includes support for legacy Microsoft IIS headers X-Original-URL and X-Rewrite-URL. A remote attacker can send a specially crafted HTTP request to the vulnerable application requesting one URL but have Symphony return a different one. An attacker can abuse X-Original-URL and X-Rewrite-URL headers to access otherwise restricted functionality and bypass restrictions on higher level caches and web servers.

How to mitigate CVE-2018-14773

The vulnerability is fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

Sources

https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers

Support for legacy HTTP methods in Symfony - CVE-2018-14773

Detailed vulnerability description

How to mitigate CVE-2018-14773

Sources

Please verify you're human