Access Restriction Bypass Affecting symfony/http-foundation package, versions >=2.7, <2.7.49 >=2.8, <2.8.44 >=3.0.0, <3.3.18 >=3.4, <3.4.14 >=4.0.0, <4.0.14 >=4.1, <4.1.3
Threat Intelligence
EPSS
87.78% (99th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SYMFONYHTTPFOUNDATION-72253
- published 2 Aug 2018
- disclosed 2 Aug 2018
- credit Michael Cullum
Introduced: 2 Aug 2018
CVE-2018-14773 Open this link in a new tabHow to fix?
Upgrade symfony/http-foundation
to versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, 4.1.3 or higher
Overview
symfony/http-foundation is a set of reusable PHP components.
Affected versions of this package are vulnerable to Access Restriction Bypass. It maintained support for (legacy) IIS headers (X-Original-URL
or X-Rewrite-URL
) that allowed users to override the path in a request URL.
As a result, it allowed a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.
References
CVSS Scores
version 3.1