When investigating issue #11093, Jeremy Derussé found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle.
Your Symfony application is vulnerable if you meet the following conditions:
You are using the Symfony translation system from FrameworkBundle (so basically if you are using Symfony full-stack – you are not affected if you are using the Translation component with Silex for instance);
You don’t sanitize locales coming from a URL (any route with a _locale argument for instance):
When vulnerable, an attacker can submit a non-valid locale value that can contain some PHP code that will be executed by Symfony. That’s because the locale value is dumped into a PHP file generated in the cache without being sanitized first.
Vendor | Product | Version | CPE |
---|---|---|---|
symfony | symfony | * | cpe:2.3:a:symfony:symfony:*:*:*:*:*:*:*:* |
symfony | framework-bundle | * | cpe:2.3:a:symfony:framework-bundle:*:*:*:*:*:*:*:* |
github.com/advisories/GHSA-wfv7-5x33-v22h
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2014-4931.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-4931.yaml
github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af.patch
symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-released