Remote Code Execution (RCE) Affecting symfony/http-client package, versions >=4.3.0, <4.4.0 >=4.4.0, <4.4.13 >=5.0.0, <5.1.0 >=5.1.0, <5.1.5
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SYMFONYHTTPCLIENT-609349
- published 2 Sep 2020
- disclosed 2 Sep 2020
- credit Matthias Pigulla
Introduced: 2 Sep 2020
CVE-2020-15094 Open this link in a new tabHow to fix?
Upgrade symfony/http-client to version 4.4.0, 4.4.13, 5.1.0, 5.1.5 or higher.
Overview
symfony/http-client is a Symfony HttpClient component.
Affected versions of this package are vulnerable to Remote Code Execution (RCE). The CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.