CVE-2020-5255 — Improper Interaction Between Multiple Correctly-Behaving Entities in Symfony

CWE-435 — Improper Interaction Between Multiple Correctly-Behaving Entities CWE-20 — Improper Input Validation8 documents6 sources

Severity

4.3MEDIUMNVD

CNA2.6

EPSS

0.4%

top 40.87%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Http-foundation

Timeline

PublishedMar 30

Latest updateApr 9

Description

In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 2.8 | Impact: 1.4

Affected Packages5 packages

▶Packagistsymfony/symfony4.4.0 — 4.4.7+1

▶NVDsensiolabs/symfony4.4.0 — 4.4.7+1

▶Packagistsymfony/http-foundation4.4.0 — 4.4.7+1

▶Debiansymfony/symfony< 4.4.8-1+3

▶CVEListV5symfony/symfony>= 4.4.0 and < 4.4.7, >= 5.0.0 and < 5.0.7+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Prevent cache poisoning via a Response Content-Type header↗2020-03-30

▶

GHSA

Prevent cache poisoning via a Response Content-Type header in Symfony↗2020-03-30

▶

OSV

Prevent cache poisoning via a Response Content-Type header in Symfony↗2020-03-30

▶

OSV

CVE-2020-5255: In Symfony before versions 4↗2020-03-30

▶

📋Vendor Advisories

Debian

CVE-2020-5255: symfony - In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a...↗2020

▶

💬Community

Bugzilla

CVE-2020-5255 php-symfony: Response without Content-Type header could result in cache poisoning↗2020-04-09

▶

Bugzilla

CVE-2020-5255 php-symfony4: php-symfony: Response without Content-Type header could result in cache poisoning [fedora-all]↗2020-04-09

▶