cbcvebase.
CVE-2018-14773
published 2018-08-03

CVE-2018-14773: An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through…

PriorityP353medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
58.06%
99.0th percentile
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

Affected

26 ranges· showing 25
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiansymfony< symfony 3.4.14+dfsg-1 (bookworm)symfony 3.4.14+dfsg-1 (bookworm)
drupaldrupal>= 8.0.0 < 8.5.68.5.6
sensiolabssymfony<= 2.7.48
sensiolabssymfony2.8.0 – 2.8.43
sensiolabssymfony3.3.0 – 3.3.17
sensiolabssymfony3.4.0 – 3.4.13
sensiolabssymfony4.0.0 – 4.0.13
sensiolabssymfony4.1.0 – 4.1.2
symfonyhttp-foundation>= 2.7.0 < 2.7.492.7.49
symfonyhttp-foundation>= 2.8.0 < 2.8.442.8.44
symfonyhttp-foundation>= 3.0.0 < 3.3.183.3.18
symfonyhttp-foundation>= 3.4.0 < 3.4.143.4.14
symfonyhttp-foundation>= 4.0.0 < 4.0.144.0.14
symfonyhttp-foundation>= 4.1.0 < 4.1.34.1.3
symfonysymfony>= 0 < 3.4.14+dfsg-13.4.14+dfsg-1
symfonysymfony>= 0 < 3.4.14+dfsg-13.4.14+dfsg-1
symfonysymfony>= 0 < 3.4.14+dfsg-13.4.14+dfsg-1
symfonysymfony>= 0 < 3.4.14+dfsg-13.4.14+dfsg-1
symfonysymfony>= 2.7.0 < 2.7.492.7.49
symfonysymfony>= 2.8.0 < 2.8.442.8.44
symfonysymfony>= 3.0.0 < 3.3.183.3.18
symfonysymfony>= 3.4.0 < 3.4.143.4.14
symfonysymfony>= 4.0.0 < 4.0.144.0.14

Detection & IOCsextracted from sources · hover to see the quote

otherX-Original-URL
otherX-Rewrite-URL
urlhttps://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b
  • Detect exploitation attempts by monitoring HTTP requests containing the X-Original-URL or X-Rewrite-URL headers, which are used to override the request URI path in vulnerable Symfony applications.
  • Alert on HTTP requests carrying X-Original-URL or X-Rewrite-URL headers targeting Symfony applications, as these can be used to bypass access controls and poison web caches.
  • Flag requests where X-Original-URL or X-Rewrite-URL headers are present but the server is not IIS, indicating potential abuse of the legacy header support.
  • The attack allows a user to access one URL but have Symfony return a different one — monitor for discrepancies between the actual request URL and the URL processed by the application when these headers are present.
  • ·The vulnerability affects Symfony versions 2.7.0–2.7.48, 2.8.0–2.8.43, 3.3.0–3.3.17, 3.4.0–3.4.13, 4.0.0–4.0.13, and 4.1.0–4.1.2. EPEL7 is pinned at version 2.8.12 and cannot be upgraded, leaving it permanently vulnerable.
  • ·The fix removes support for both X-Original-URL and X-Rewrite-URL (X_REWRITE_URL) headers entirely. Detection rules targeting these headers will remain relevant for unpatched instances.

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.