7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.6%
The CachingHttpClient
class from the HttpClient Symfony component relies on the HttpCache
class to handle requests. HttpCache
uses internal headers like X-Body-Eval
and X-Body-File
to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient
and if an attacker can control the response for a request being made by the CachingHttpClient
, remote code execution is possible.
HTTP headers designed for internal use in HttpCache
are now stripped from remote responses before being passed to HttpCache
.
The patch for this issue is available here for the 4.4 branch.
I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.
CPE | Name | Operator | Version |
---|---|---|---|
symfony/symfony | lt | 4.4.13 | |
symfony/http-kernel | lt | 4.4.13 | |
symfony/symfony | lt | 5.1.5 | |
symfony/http-kernel | lt | 5.1.5 |
github.com/advisories/GHSA-754h-5r27-7x3r
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2020-15094.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-15094.yaml
github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78
github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r
lists.fedoraproject.org/archives/list/[email protected]/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/
lists.fedoraproject.org/archives/list/[email protected]/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/
nvd.nist.gov/vuln/detail/CVE-2020-15094
packagist.org/packages/symfony/http-kernel
packagist.org/packages/symfony/symfony
symfony.com/cve-2020-15094
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.007 Low
EPSS
Percentile
80.6%