Search criteria
Related vulnerabilities
GHSA-WVJV-P5RR-MMQM
Vulnerability from github – Published: 2024-05-30 00:46 – Updated: 2024-05-30 00:46
VLAI
Summary
Symfony allows direct access of ESI URLs behind a trusted proxy
Details
All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application.
This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.2 as it is not maintained anymore.
Description
When you enable the ESI feature and when you are using a proxy like Varnish that you configured as a trusted proxy, the FragmentHandler considered requests to render fragments as coming from a trusted source, even if the client was requesting them directly. Symfony can not distinguish between ESI requests done on behalf of the client by Varnish and faked fragment requests coming directly from the client.
To mitigate this issue, and for not-supported Symfony versions, you can use the following workaround in your Varnish configuration (/_fragment being the URL path prefix configured under the fragment setting of the framework bundle configuration):
Copy sub vcl_recv { if (req.restarts == 0 && req.url ~ "^/_fragment") { error 400; } } Resolution We do not rely on trusted IPs anymore when validating a fragment request as all fragment URLs are now signed.
The patch for this issue is available here: https://github.com/symfony/symfony/pull/11831
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-kernel"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-5245"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T00:46:52Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application.\n\nThis issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.2 as it is not maintained anymore.\n\nDescription\nWhen you enable the ESI feature and when you are using a proxy like Varnish that you configured as a trusted proxy, the `FragmentHandler` considered requests to render fragments as coming from a trusted source, even if the client was requesting them directly. Symfony can not distinguish between ESI requests done on behalf of the client by Varnish and faked fragment requests coming directly from the client.\n\nTo mitigate this issue, and for not-supported Symfony versions, you can use the following workaround in your Varnish configuration (`/_fragment` being the URL path prefix configured under the `fragment` setting of the framework bundle configuration):\n\n Copy\nsub vcl_recv {\n if (req.restarts == 0 \u0026\u0026 req.url ~ \"^/_fragment\") {\n error 400;\n }\n}\nResolution\nWe do not rely on trusted IPs anymore when validating a fragment request as all fragment URLs are now signed.\n\nThe patch for this issue is available here: https://github.com/symfony/symfony/pull/11831",
"id": "GHSA-wvjv-p5rr-mmqm",
"modified": "2024-05-30T00:46:52Z",
"published": "2024-05-30T00:46:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/pull/11831"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/654b1f281e09dd96ffbbd3da815411700423ecf5"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2014-5245.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-5245.yaml"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2014-5245"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Symfony allows direct access of ESI URLs behind a trusted proxy"
}
GSD-2014-5245
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-5245",
"id": "GSD-2014-5245"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-5245"
],
"id": "GSD-2014-5245",
"modified": "2023-12-13T01:22:52.268076Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-5245",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.0.0,\u003c2.4.9||\u003e=2.5.0,\u003c2.5.4",
"affected_versions": "All versions starting from 2.0.0 before 2.4.9, all versions starting from 2.5.0 before 2.5.4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-09-03",
"description": "Direct access of ESI URLs behind a trusted proxy.",
"fixed_versions": [
"2.4.9",
"2.5.4"
],
"identifier": "CVE-2014-5245",
"identifiers": [
"CVE-2014-5245"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.4.9 before 2.5.0, all versions starting from 2.5.4",
"package_slug": "packagist/symfony/http-kernel",
"pubdate": "2014-09-03",
"solution": "Upgrade to versions 2.4.9, 2.5.4 or above.",
"title": "Improper Access Control",
"urls": [
"https://symfony.com/cve-2014-5245"
],
"uuid": "2cdb07f5-e6b6-41d0-8ce3-c20404947d55"
},
{
"affected_range": "\u003e=2.0.0,\u003c2.4.9||\u003e=2.5.0,\u003c2.5.4",
"affected_versions": "All versions starting from 2.0.0 before 2.4.9, all versions starting from 2.5.0 before 2.5.4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-09-03",
"description": "Direct access of ESI URLs behind a trusted proxy",
"fixed_versions": [
"2.4.9",
"2.5.4"
],
"identifier": "CVE-2014-5245",
"identifiers": [
"CVE-2014-5245"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.4.9 before 2.5.0, all versions starting from 2.5.4",
"package_slug": "packagist/symfony/symfony",
"pubdate": "2014-09-03",
"solution": "Upgrade to versions 2.4.9, 2.5.4 or above.",
"title": "Information Disclosure",
"urls": [
"https://symfony.com/cve-2014-5245"
],
"uuid": "b54faa90-3da7-48c2-8e95-6bd1c2fb7613"
}
]
}
}
}