CVE-2017-16653
https://notcve.org/view.php?id=CVE-2017-16653
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks. Se ha descubierto un problema en Symfony en versiones anteriores a la 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5 y 4.0-BETA5. La implementación actual de la protección CSRF en Symfony (versiones a partir de la 2) no emplea tokens diferentes para HTTP y HTTPS; por lo tanto, el token es vulnerable a ataques Man-in-the-Middle (MitM) en HTTP y puede emplearse en un contexto HTTPS para realizar ataques Cross-Site Request Forgery (CSRF). • https://github.com/symfony/symfony/pull/24992 https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https https://www.debian.org/security/2018/dsa-4262 •
CVE-2017-16654
https://notcve.org/view.php?id=CVE-2017-16654
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The Intl component includes various bundle readers that are used to read resource bundles from the local filesystem. The read() methods of these classes use a path and a locale to determine the language bundle to retrieve. The locale argument value is commonly retrieved from untrusted user input (like a URL parameter). An attacker can use this argument to navigate to arbitrary directories via the dot-dot-slash attack, aka Directory Traversal. • https://github.com/symfony/symfony/pull/24994 https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html https://symfony.com/blog/cve-2017-16654-intl-bundle-readers-breaking-out-of-paths https://www.debian.org/security/2018/dsa-4262 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2018-14774
https://notcve.org/view.php?id=CVE-2018-14774
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. Se ha descubierto un problema en HttpKernel en Symfony, desde la versión 2.7.0 hasta la 2.7.48, desde la versión 2.8.0 hasta la 2.8.43, desde la versión 3.3.0 hasta la 3.3.17, desde la versión 3.4.0 hasta la 3.4.13, desde la versión 4.0.0 hasta la 4.0.13 y desde la versión 4.1.0 hasta la 4.1.2. Al emplear HttpCache, los valores de las cabeceras X-Forwarded-Host se asignan implícitamente como fiables, aunque debería estar prohibido, lo que conduce a una potencial inyección de cabeceras host. • https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache • CWE-20: Improper Input Validation •
CVE-2018-14773
https://notcve.org/view.php?id=CVE-2018-14773
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning. • http://www.securityfocus.com/bid/104943 http://www.securitytracker.com/id/1041405 https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html https://seclists.org/bugtraq/2019/May/21 https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers https://www.debian.org/security/2019/dsa-4441 https://www.drupal.org/SA-CORE-2018-005 •
CVE-2018-11406
https://notcve.org/view.php?id=CVE-2018-11406
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation. Se ha descubierto un problema en el componente Security en Symfony en versiones 2.7.x anteriores a la 2.7.48, versiones 2.8.x anteriores a la 2.8.41, versiones 3.3.x anteriores a la 3.3.17, versiones 3.4.x anteriores a la 3.4.11 y versiones 4.0.x anteriores a la 4.0.11. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH https://symfony.com/blog/cve-2018-11406-csrf-token-fixation https://www.debian.org/security/2018/dsa-4262 • CWE-352: Cross-Site Request Forgery (CSRF) •