CVE-2020-15094

Published: Sep 2, 2020Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Affected (6)

Products: Sensiolabs: Httpclient, Symfony · Fedoraproject: Fedora

2 products

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Sensiolabs Httpclient	From 4.4.0 to 4.4.13
Sensiolabs Httpclient	From 5.1.0 to 5.1.5
Sensiolabs Symfony	From 4.4.0 to 4.4.13
Sensiolabs Symfony	From 5.1.0 to 5.1.5

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 32
Fedoraproject Fedora	Version 33

Related CWEs

Improper Removal of Sensitive Information Before Storage or Transfer

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.

References (12)

https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r

Source: security-advisories@github.com

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/

Source: security-advisories@github.com

https://packagist.org/packages/symfony/http-kernel

Source: security-advisories@github.com

ProductThird Party Advisory

https://packagist.org/packages/symfony/symfony

Source: security-advisories@github.com

ProductThird Party Advisory

https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/

Source: af854a3a-2127-422b-91ae-364da2661108

https://packagist.org/packages/symfony/http-kernel

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

https://packagist.org/packages/symfony/symfony

Source: af854a3a-2127-422b-91ae-364da2661108

ProductThird Party Advisory

Timeline

No history available yet.