Main Vulnerability Database Vulnerabilities #VU14165

#VU14165 Support for legacy HTTP methods in Symfony - CVE-2018-14773

Published: August 1, 2018

Vulnerability identifier: #VU14165

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-14773

CWE-ID: CWE-749

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Symfony

Software vendor:
SensioLabs

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to Symfony HttpFoundation component includes support for legacy Microsoft IIS headers X-Original-URL and X-Rewrite-URL. A remote attacker can send a specially crafted HTTP request to the vulnerable application requesting one URL but have Symphony return a different one. An attacker can abuse X-Original-URL and X-Rewrite-URL headers to access otherwise restricted functionality and bypass restrictions on higher level caches and web servers.

Remediation

The vulnerability is fixed in Symfony 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

External links

https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers

#VU14165 Support for legacy HTTP methods in Symfony - CVE-2018-14773

Description

Remediation

External links

Please verify you're human