CVE-2018-14773

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

Se ha descubierto un problema en Http Foundation en Symfony, desde la versión 2.7.0 hasta la 2.7.48, desde la versión 2.8.0 hasta la 2.8.43, desde la versión 3.3.0 hasta la 3.3.17, desde la versión 3.4.0 hasta la 3.4.13, desde la versión 4.0.0 hasta la 4.0.13 y desde la versión 4.1.0 hasta la 4.1.2. Se origina desde el soporte a una cabecera IIS (heredada) que deja que los usuarios sobrescriban la ruta en la URL de petición mediante la cabecera de petición HTTP X-Original-URL o X-Rewrite-URL. Estas cabeceras han sido diseñadas para ser compatibles con IIS, pero no está verificado que el servidor esté, de hecho, ejecutando IIS, lo que significa que cualquiera que pueda enviar estas peticiones a la aplicación puede desencadenar este problema. Esto afecta a \Symfony\Component\HttpFoundation\Request::prepareRequestUri() donde se emplean tanto X-Original-URL como X_REWRITE_URL. La solución elimina el soporte a estos métodos para que no puedan ser empleados como vectores de ataque, como el envenenamiento de la caché web.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-07-31 CVE Reserved
2018-08-03 CVE Published
2024-02-27 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
http://www.securityfocus.com/bid/104943	Third Party Advisory
http://www.securitytracker.com/id/1041405	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html	Mailing List
https://seclists.org/bugtraq/2019/May/21	Issue Tracking

URL	Date	SRC

URL	Date	SRC
https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b	2021-09-29
https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers	2021-09-29
https://www.drupal.org/SA-CORE-2018-005	2021-09-29

URL	Date	SRC
https://www.debian.org/security/2019/dsa-4441	2021-09-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				> 2.7.0 <= 2.7.48 Search vendor "Sensiolabs" for product "Symfony" and version " > 2.7.0 <= 2.7.48"		-		Affected
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				>= 2.8.0 <= 2.8.43 Search vendor "Sensiolabs" for product "Symfony" and version " >= 2.8.0 <= 2.8.43"		-		Affected
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				>= 3.3.0 <= 3.3.17 Search vendor "Sensiolabs" for product "Symfony" and version " >= 3.3.0 <= 3.3.17"		-		Affected
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				>= 3.4.0 <= 3.4.13 Search vendor "Sensiolabs" for product "Symfony" and version " >= 3.4.0 <= 3.4.13"		-		Affected
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				>= 4.0.0 <= 4.0.13 Search vendor "Sensiolabs" for product "Symfony" and version " >= 4.0.0 <= 4.0.13"		-		Affected
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				>= 4.1.0 <= 4.1.2 Search vendor "Sensiolabs" for product "Symfony" and version " >= 4.1.0 <= 4.1.2"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Drupal Search vendor "Drupal"		Drupal Search vendor "Drupal" for product "Drupal"				>= 8.0.0 < 8.5.6 Search vendor "Drupal" for product "Drupal" and version " >= 8.0.0 < 8.5.6"		-		Affected