Search criteria
Related vulnerabilities
GHSA-H7V2-2QWG-H829
Vulnerability from github – Published: 2024-05-30 00:41 – Updated: 2024-05-30 00:41
VLAI
Summary
Symfony has a security issue when parsing the Authorization header
Details
All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue.
This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore.
Description
When an application uses an HTTP basic or digest authentication, Symfony does not parse the Authorization header properly, which could be exploited in some server setups (no exploits have been demonstrated though.)
Resolution
The parsing of the Authorization header has been fixed to comply to the HTTP specification.
The patch for this issue is available here: https://github.com/symfony/symfony/pull/11829
Severity
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/http-foundation"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.3.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2014-6061"
],
"database_specific": {
"cwe_ids": [
"CWE-20"
],
"github_reviewed": true,
"github_reviewed_at": "2024-05-30T00:41:16Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpFoundation component are affected by this security issue.\n\nThis issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfony 2.0, 2.1, and 2.2 as they are not maintained anymore.\n\n### Description\nWhen an application uses an HTTP basic or digest authentication, Symfony does not parse the `Authorization` header properly, which could be exploited in some server setups (no exploits have been demonstrated though.)\n\n### Resolution\nThe parsing of the `Authorization` header has been fixed to comply to the HTTP specification.\n\nThe patch for this issue is available here: https://github.com/symfony/symfony/pull/11829",
"id": "GHSA-h7v2-2qwg-h829",
"modified": "2024-05-30T00:41:17Z",
"published": "2024-05-30T00:41:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/pull/11829"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/3b4046e89467dc1fb5e079e377c2cfd4c239f904"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2014-6061.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-6061.yaml"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2014-6061"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Symfony has a security issue when parsing the Authorization header"
}
GSD-2014-6061
Vulnerability from gsd - Updated: 2023-12-13 01:22Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2014-6061",
"id": "GSD-2014-6061"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2014-6061"
],
"id": "GSD-2014-6061",
"modified": "2023-12-13T01:22:50.484010Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-6061",
"STATE": "RESERVED"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.0.0,\u003c2.4.9||\u003e=2.5.0,\u003c2.5.4",
"affected_versions": "All versions starting from 2.0.0 before 2.4.9, all versions starting from 2.5.0 before 2.5.4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-09-03",
"description": "Security issue when parsing the Authorization header.",
"fixed_versions": [
"2.4.9",
"2.5.4"
],
"identifier": "CVE-2014-6061",
"identifiers": [
"CVE-2014-6061"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.4.9 before 2.5.0, all versions starting from 2.5.4",
"package_slug": "packagist/symfony/http-foundation",
"pubdate": "2014-09-03",
"solution": "Upgrade to versions 2.4.9, 2.5.4 or above.",
"title": "Improper Authorization",
"urls": [
"https://symfony.com/cve-2014-6061"
],
"uuid": "3dbf59cf-a357-4396-aaaf-262c0eb7cd83"
},
{
"affected_range": "\u003e=2.0.0,\u003c2.4.9||\u003e=2.5.0,\u003c2.5.4",
"affected_versions": "All versions starting from 2.0.0 before 2.4.9, all versions starting from 2.5.0 before 2.5.4",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2014-09-03",
"description": "Security issue when parsing the Authorization header.",
"fixed_versions": [
"2.4.9",
"2.5.4"
],
"identifier": "CVE-2014-6061",
"identifiers": [
"CVE-2014-6061"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.4.9 before 2.5.0, all versions starting from 2.5.4",
"package_slug": "packagist/symfony/symfony",
"pubdate": "2014-09-03",
"solution": "Upgrade to versions 2.4.9, 2.5.4 or above.",
"title": "Improper Privilege Management",
"urls": [
"https://symfony.com/cve-2014-6061"
],
"uuid": "ee6a5e4c-eb48-4ab1-b499-5b24c6293d66"
}
]
}
}
}