Name | CVE-2018-14774 |
Description | An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | ELA-912-1 |
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|---|---|---|
symfony (PTS) | jessie, jessie (lts) | 2.3.21+dfsg-4+deb8u6 | fixed |
stretch (security) | 2.8.7+dfsg-1.3+deb9u3 | vulnerable | |
stretch (lts), stretch | 2.8.7+dfsg-1.3+deb9u5 | fixed | |
buster (security), buster, buster (lts) | 3.4.22+dfsg-2+deb10u3 | fixed | |
bullseye | 4.4.19+dfsg-2+deb11u6 | fixed | |
bookworm | 5.4.23+dfsg-1+deb12u2 | fixed | |
bookworm (security) | 5.4.23+dfsg-1+deb12u4 | fixed | |
sid, trixie | 6.4.16+dfsg-1 | fixed |
The information below is based on the following data on fixed versions.
Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
---|---|---|---|---|---|---|
symfony | source | jessie | (not affected) | |||
symfony | source | stretch | 2.8.7+dfsg-1.3+deb9u4 | ELA-912-1 | ||
symfony | source | (unstable) | 3.4.14+dfsg-1 |
[stretch] - symfony <no-dsa> (Minor issue)
[jessie] - symfony <not-affected> (Vulnerable code not present, introduced later in commit 4c8a25a6e2)
https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache