CVE-2018-14773
published 2018-08-03CVE-2018-14773: An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through…
PriorityP353medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
58.06%
99.0th percentile
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | symfony | < symfony 3.4.14+dfsg-1 (bookworm) | symfony 3.4.14+dfsg-1 (bookworm) |
| drupal | drupal | >= 8.0.0 < 8.5.6 | 8.5.6 |
| sensiolabs | symfony | <= 2.7.48 | — |
| sensiolabs | symfony | 2.8.0 – 2.8.43 | — |
| sensiolabs | symfony | 3.3.0 – 3.3.17 | — |
| sensiolabs | symfony | 3.4.0 – 3.4.13 | — |
| sensiolabs | symfony | 4.0.0 – 4.0.13 | — |
| sensiolabs | symfony | 4.1.0 – 4.1.2 | — |
| symfony | http-foundation | >= 2.7.0 < 2.7.49 | 2.7.49 |
| symfony | http-foundation | >= 2.8.0 < 2.8.44 | 2.8.44 |
| symfony | http-foundation | >= 3.0.0 < 3.3.18 | 3.3.18 |
| symfony | http-foundation | >= 3.4.0 < 3.4.14 | 3.4.14 |
| symfony | http-foundation | >= 4.0.0 < 4.0.14 | 4.0.14 |
| symfony | http-foundation | >= 4.1.0 < 4.1.3 | 4.1.3 |
| symfony | symfony | >= 0 < 3.4.14+dfsg-1 | 3.4.14+dfsg-1 |
| symfony | symfony | >= 0 < 3.4.14+dfsg-1 | 3.4.14+dfsg-1 |
| symfony | symfony | >= 0 < 3.4.14+dfsg-1 | 3.4.14+dfsg-1 |
| symfony | symfony | >= 0 < 3.4.14+dfsg-1 | 3.4.14+dfsg-1 |
| symfony | symfony | >= 2.7.0 < 2.7.49 | 2.7.49 |
| symfony | symfony | >= 2.8.0 < 2.8.44 | 2.8.44 |
| symfony | symfony | >= 3.0.0 < 3.3.18 | 3.3.18 |
| symfony | symfony | >= 3.4.0 < 3.4.14 | 3.4.14 |
| symfony | symfony | >= 4.0.0 < 4.0.14 | 4.0.14 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP requests containing the X-Original-URL or X-Rewrite-URL headers, which are used to override the request URI path in vulnerable Symfony applications. ↗
- →Alert on HTTP requests carrying X-Original-URL or X-Rewrite-URL headers targeting Symfony applications, as these can be used to bypass access controls and poison web caches. ↗
- →Flag requests where X-Original-URL or X-Rewrite-URL headers are present but the server is not IIS, indicating potential abuse of the legacy header support. ↗
- →The attack allows a user to access one URL but have Symfony return a different one — monitor for discrepancies between the actual request URL and the URL processed by the application when these headers are present. ↗
- ·The vulnerability affects Symfony versions 2.7.0–2.7.48, 2.8.0–2.8.43, 3.3.0–3.3.17, 3.4.0–3.4.13, 4.0.0–4.0.13, and 4.1.0–4.1.2. EPEL7 is pinned at version 2.8.12 and cannot be upgraded, leaving it permanently vulnerable. ↗
- ·The fix removes support for both X-Original-URL and X-Rewrite-URL (X_REWRITE_URL) headers entirely. Detection rules targeting these headers will remain relevant for unpatched instances. ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Symfony HTTP Foundation web cache poisoning
osv·2022-05-13
CVE-2018-14773 [MEDIUM] Symfony HTTP Foundation web cache poisoning
Symfony HTTP Foundation web cache poisoning
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vecto
GHSA
Symfony HTTP Foundation web cache poisoning
ghsa·2022-05-13
CVE-2018-14773 [MEDIUM] CWE-349 Symfony HTTP Foundation web cache poisoning
Symfony HTTP Foundation web cache poisoning
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vecto
OSV
CVE-2018-14773: An issue was discovered in Http Foundation in Symfony 2
osv·2018-08-03·CVSS 6.5
CVE-2018-14773 [MEDIUM] CVE-2018-14773: An issue was discovered in Http Foundation in Symfony 2
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
Debian
CVE-2018-14773: symfony - An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8....
vendor_debian·2018·CVSS 6.5
CVE-2018-14773 [MEDIUM] CVE-2018-14773: symfony - An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8....
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
Scope: local
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions
bugzilla·2018-08-03·CVSS 6.5
CVE-2018-14773 [MEDIUM] CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions
CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions
The Symfony PHP framework has a vulnerability in versions before 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3. Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.
The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.
External Reference:
https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
Upstream Patch:
https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b9663860
Bugzilla
CVE-2018-14773 php-symfony4: php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
bugzilla·2018-08-03·CVSS 6.5
CVE-2018-14773 [MEDIUM] CVE-2018-14773 php-symfony4: php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
CVE-2018-14773 php-symfony4: php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
Bugzilla
CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [epel-all]
bugzilla·2018-08-03·CVSS 6.5
CVE-2018-14773 [MEDIUM] CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [epel-all]
CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affec
Bugzilla
CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
bugzilla·2018-08-03·CVSS 6.5
CVE-2018-14773 [MEDIUM] CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
CVE-2018-14773 php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue a
Bugzilla
CVE-2018-14773 php-symfony3: php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
bugzilla·2018-08-03·CVSS 6.5
CVE-2018-14773 [MEDIUM] CVE-2018-14773 php-symfony3: php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
CVE-2018-14773 php-symfony3: php-symfony: Legacy HTTP headers allow users to modify URLs and bypass restrictions [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE
http://www.securityfocus.com/bid/104943http://www.securitytracker.com/id/1041405https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6bhttps://lists.debian.org/debian-lts-announce/2019/03/msg00009.htmlhttps://seclists.org/bugtraq/2019/May/21https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headershttps://www.debian.org/security/2019/dsa-4441https://www.drupal.org/SA-CORE-2018-005http://www.securityfocus.com/bid/104943http://www.securitytracker.com/id/1041405https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6bhttps://lists.debian.org/debian-lts-announce/2019/03/msg00009.htmlhttps://seclists.org/bugtraq/2019/May/21https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headershttps://www.debian.org/security/2019/dsa-4441https://www.drupal.org/SA-CORE-2018-005
2018-08-03
Published