Search criteria
Related vulnerabilities
GHSA-V77V-X634-9M56
Vulnerability from github – Published: 2024-05-30 00:38 – Updated: 2024-05-30 00:38
VLAI
Summary
Symfony vulnerable to denial of service via a malicious HTTP Host header
Details
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue.
This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore.
Description
When an arbitrarily long hostname is sent by a client, its parsing in Request::getHost() can lead to a DoS attack, due to the way we validate the hostname via a regular expression.
Resolution The regular expression used to parse and validate the hostname from the HTTP request has been modified to avoid too much sensitivity to the submitted value length.
The patch for this issue is available here: https://github.com/symfony/symfony/pull/11828
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-5244"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T00:38:38Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue.\n\nThis issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore.\n\nDescription\nWhen an arbitrarily long hostname is sent by a client, its parsing in `Request::getHost()` can lead to a DoS attack, due to the way we validate the hostname via a regular expression.\n\nResolution\nThe regular expression used to parse and validate the hostname from the HTTP request has been modified to avoid too much sensitivity to the submitted value length.\n\nThe patch for this issue is available here: https://github.com/symfony/symfony/pull/11828",
"id": "GHSA-v77v-x634-9m56",
"modified": "2024-05-30T00:38:38Z",
"published": "2024-05-30T00:38:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/pull/11828"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/1ee96a8b1b0987ffe2a62dca7ad268bf9edfa9b8"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2014-5244.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-5244.yaml"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/cve-2014-5244-denial-of-service-with-a-malicious-http-host-header"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2014-5244"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Symfony vulnerable to denial of service via a malicious HTTP Host header"
}
GSD-2014-5244
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-5244",
"id": "GSD-2014-5244"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-5244"
],
"id": "GSD-2014-5244",
"modified": "2023-12-13T01:22:52.578378Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-5244",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.0.0,\u003c2.4.9||\u003e=2.5.0,\u003c2.5.4",
"affected_versions": "All versions starting from 2.0.0 before 2.4.9, all versions starting from 2.5.0 before 2.5.4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-09-03",
"description": "Denial of service with a malicious HTTP Host header.",
"fixed_versions": [
"2.4.9",
"2.5.4"
],
"identifier": "CVE-2014-5244",
"identifiers": [
"CVE-2014-5244"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.4.9 before 2.5.0, all versions starting from 2.5.4",
"package_slug": "packagist/symfony/http-foundation",
"pubdate": "2014-09-03",
"solution": "Upgrade to versions 2.4.9, 2.5.4 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://symfony.com/cve-2014-5244"
],
"uuid": "eb2730cd-b5a9-4e3c-b123-84f5ff788780"
},
{
"affected_range": "\u003e=2.0.0,\u003c2.4.9||\u003e=2.5.0,\u003c2.5.4",
"affected_versions": "All versions starting from 2.0.0 before 2.4.9, all versions starting from 2.5.0 before 2.5.4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-09-03",
"description": "Denial of service with a malicious HTTP Host header.",
"fixed_versions": [
"2.4.9",
"2.5.4"
],
"identifier": "CVE-2014-5244",
"identifiers": [
"CVE-2014-5244"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.4.9 before 2.5.0, all versions starting from 2.5.4",
"package_slug": "packagist/symfony/symfony",
"pubdate": "2014-09-03",
"solution": "Upgrade to versions 2.4.9, 2.5.4 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://symfony.com/cve-2014-5244"
],
"uuid": "07f0d9e7-0580-4190-8a00-4c25e732d441"
}
]
}
}
}