<p>Upgrade <code>symfony/symfony</code> to version 2.3.27, 2.5.11, 2.6.6 or higher.</p>

=2.6.0, <2.6.6

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-PHP-SYMFONYSYMFONY-70216
published 1 Apr 2015
disclosed 1 Apr 2015
credit Dmitrii Chekaliuk

Report a new vulnerability Found a mistake?

Introduced: 1 Apr 2015

CVE-2015-2309 Open this link in a new tab CWE-300 Open this link in a new tab

How to fix?

Upgrade symfony/symfony to version 2.3.27, 2.5.11, 2.6.6 or higher.

Overview

Affected versions of symfony/symfony are vulnerable to Man-in-the-Middle (MitM).

The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server.

References

Symfony Release Notes

CVSS Scores

version 3.1

Attack Vector (AV)

Network
Attack Complexity (AC)

Low
Privileges Required (PR)

None
User Interaction (UI)

None

Scope (S)

Unchanged

Confidentiality (C)

Low
Integrity (I)

Low
Availability (A)

None

Man-in-the-Middle (MitM) Affecting symfony/symfony package, versions >=2, <2.3.27 >=2.4.0, <2.5.11 >=2.6.0, <2.6.6

Severity

CVSS assessment made by Snyk's Security Team

Introduced: 1 Apr 2015

How to fix?

Overview

References

CVSS Scores

Snyk