Symfony Http-Kernel vulnerabilities

CVE-2014-5245 [HIGH] CWE-200 Symfony allows direct access of ESI URLs behind a trusted proxy Symfony allows direct access of ESI URLs behind a trusted proxy All 2.2.X, 2.3.X, 2.4.X, and 2.5.X versions of the Symfony HttpKernel component are affected by this security issue. Your application is vulnerable only if the ESI feature is enabled and there is a proxy in front of the web application. This issue has been fixed in Symfony 2.3.19, 2.4.9, and 2.5.4. Note that no fixes are provided for Symfo

CVE-2022-24894 [MEDIUM] CWE-285 Symfony storing cookie headers in HttpCache Symfony storing cookie headers in HttpCache Description The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vu

CVE-2015-4050 [MEDIUM] CWE-284 Symfony Incorrect Access Control Symfony Incorrect Access Control FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`. This issue has be

CVE-2015-2308 [MEDIUM] CWE-94 Symfony Vulnerable to PHP Eval Injection Symfony Vulnerable to PHP Eval Injection Applications with ESI support (and SSI support as of Symfony 2.6) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. HttpCache uses eval() to execute files in its cache when they contain ESI tags (and only when ESI is en

CVE-2019-18887 [HIGH] CWE-203 Symfony Http-Kernel has non-constant time comparison in UriSigner Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

CVE-2021-41267 [MEDIUM] CWE-444 Webcache Poisoning in symfony/http-kernel Webcache Poisoning in symfony/http-kernel Description When a Symfony application is running behind a proxy or a load-balancer, you can tell Symfony to look for the `X-Forwarded-*` HTTP headers. HTTP headers that are not part of the "trusted_headers" allowed list are ignored and protect you from "Cache poisoning" attacks. In Symfony 5.2, we've added support for the `X-Forwarded-Prefix` header, but this header was accessi

CVE-2020-15094 [HIGH] CWE-212 RCE in Symfony RCE in Symfony Description The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if a