Main Vulnerability Database Vulnerabilities #VU58370

Inconsistent interpretation of HTTP requests in http-kernel - CVE-2021-41267

Published: November 25, 2021

Vulnerability identifier: #VU58370

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-41267

CWE-ID: CWE-444

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Symfony

Affected software:
http-kernel

Detailed vulnerability description

The vulnerability allows a remote attacker to preform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.

Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.

How to mitigate CVE-2021-41267

Install updates from vendor's website.

Sources

https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
https://github.com/symfony/symfony/releases/tag/v5.3.12
https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
https://github.com/symfony/symfony/pull/44243

Inconsistent interpretation of HTTP requests in http-kernel - CVE-2021-41267

Detailed vulnerability description

How to mitigate CVE-2021-41267

Sources

Please verify you're human