CVE-2015-2308: Code Injection
First published: Wed Apr 01 2015(Updated: )
Applications with ESI support (and SSI support as of Symfony 2.6) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server. HttpCache uses eval() to execute files in its cache when they contain ESI tags (and only when ESI is enabled). The vulnerability comes from the fact that PHP allows contents of <script language="php"> tags to be executed (and this kind of PHP tags is always available regardless of the configuration), but there were not escaped before the evaluation. A possible exploit comes from websites also vulnerable to Cross-Site Scripting as an attacker can successfully conduct a PHP code injection attack by passing such a tag in a user submitted variable (for which proper output escaping was not applied).
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/symfony | >=2.0.0<2.1.0>=2.1.0<2.2.0>=2.2.0<2.3.0>=2.3.0<2.3.27>=2.4.0<2.5.0>=2.5.0<2.5.11>=2.6.0<2.6.6 | |
| composer/symfony/http-kernel | >=2.0.0<2.1.0>=2.1.0<2.2.0>=2.2.0<2.3.0>=2.3.0<2.3.27>=2.4.0<2.5.0>=2.5.0<2.5.11>=2.6.0<2.6.6 | |
| composer/symfony/http-kernel | >=2.6.0<2.6.6 | 2.6.6 |
| composer/symfony/http-kernel | >=2.4.0<2.5.11 | 2.5.11 |
| composer/symfony/http-kernel | >=2.0.0<2.3.27 | 2.3.27 |
| composer/symfony/symfony | >=2.6.0<2.6.6 | 2.6.6 |
| composer/symfony/symfony | >=2.4.0<2.5.11 | 2.5.11 |
| composer/symfony/symfony | >=2.0.0<2.3.27 | 2.3.27 |
| Symfony | =2.0.0 | |
| Symfony | =2.0.1 | |
| Symfony | =2.0.2 | |
| Symfony | =2.0.3 | |
| Symfony | =2.0.4 | |
| Symfony | =2.0.5 | |
| Symfony | =2.0.6 | |
| Symfony | =2.0.7 | |
| Symfony | =2.0.8 | |
| Symfony | =2.0.9 | |
| Symfony | =2.0.10 | |
| Symfony | =2.0.11 | |
| Symfony | =2.0.12 | |
| Symfony | =2.0.13 | |
| Symfony | =2.0.14 | |
| Symfony | =2.0.15 | |
| Symfony | =2.0.16 | |
| Symfony | =2.0.17 | |
| Symfony | =2.0.18 | |
| Symfony | =2.0.19 | |
| Symfony | =2.0.20 | |
| Symfony | =2.0.21 | |
| Symfony | =2.0.22 | |
| Symfony | =2.1.0 | |
| Symfony | =2.1.1 | |
| Symfony | =2.1.2 | |
| Symfony | =2.1.3 | |
| Symfony | =2.1.4 | |
| Symfony | =2.1.5 | |
| Symfony | =2.1.6 | |
| Symfony | =2.1.7 | |
| Symfony | =2.2.0 | |
| Symfony | =2.2.1 | |
| Symfony | =2.2.2 | |
| Symfony | =2.2.3 | |
| Symfony | =2.2.4 | |
| Symfony | =2.2.5 | |
| Symfony | =2.2.6 | |
| Symfony | =2.2.8 | |
| Symfony | =2.2.9 | |
| Symfony | =2.2.10 | |
| Symfony | =2.2.11 | |
| Symfony | =2.3.19 | |
| Symfony | =2.3.20 | |
| Symfony | =2.3.21 | |
| Symfony | =2.3.22 | |
| Symfony | =2.3.23 | |
| Symfony | =2.3.24 | |
| Symfony | =2.3.25 | |
| Symfony | =2.3.26 | |
| Symfony | =2.4.1 | |
| Symfony | =2.4.2 | |
| Symfony | =2.4.3 | |
| Symfony | =2.4.4 | |
| Symfony | =2.4.5 | |
| Symfony | =2.4.6 | |
| Symfony | =2.4.7 | |
| Symfony | =2.4.8 | |
| Symfony | =2.4.9 | |
| Symfony | =2.4.10 | |
| Symfony | =2.5.1 | |
| Symfony | =2.5.2 | |
| Symfony | =2.5.3 | |
| Symfony | =2.5.4 | |
| Symfony | =2.5.5 | |
| Symfony | =2.5.6 | |
| Symfony | =2.5.7 | |
| Symfony | =2.5.8 | |
| Symfony | =2.5.9 | |
| Symfony | =2.5.10 | |
| Symfony | =2.6.0 | |
| Symfony | =2.6.1 | |
| Symfony | =2.6.3 | |
| Symfony | =2.6.4 | |
| Symfony | =2.6.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://symfony.com/cve-2015-2308
- http://jvn.jp/en/jp/JVN19578958/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000089
- http://www.securityfocus.com/bid/75357
- https://symfony.com/blog/cve-2015-2308-esi-code-injection
- https://nvd.nist.gov/vuln/detail/CVE-2015-2308
- https://github.com/symfony/symfony/pull/14167/commits/195c57e1f50765aff33137689b16e126a689056a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2015-2308.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-2308.yaml
- https://web.archive.org/web/20200228084751/http://www.securityfocus.com/bid/75357
- https://github.com/advisories/GHSA-5c58-w9xc-qcj9 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2015-2308?
CVE-2015-2308 has a critical severity due to the potential for PHP code injection by malicious users.
How do I fix CVE-2015-2308?
To fix CVE-2015-2308, upgrade to Symfony version 2.6.6 or later, or apply patches if available.
Which versions are affected by CVE-2015-2308?
CVE-2015-2308 affects Symfony versions from 2.0.0 up to 2.6.5.
What can happen if CVE-2015-2308 is exploited?
Exploitation of CVE-2015-2308 can lead to remote code execution on the server via injected PHP code.
Is CVE-2015-2308 specific to certain features in Symfony?
Yes, CVE-2015-2308 specifically affects applications with ESI and SSI support enabled in Symfony.
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-5c58-w9xc-qcj9
- alias/CVE-2015-2308
- agent/software-canonical-lookup
- agent/references
- agent/weakness
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/description
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/sensiolabs
- canonical/symfony
- version/symfony/2.0.0
- version/symfony/2.0.1
- version/symfony/2.0.2
- version/symfony/2.0.3
- version/symfony/2.0.4
- version/symfony/2.0.5
- version/symfony/2.0.6
- version/symfony/2.0.7
- version/symfony/2.0.8
- version/symfony/2.0.9
- version/symfony/2.0.10
- version/symfony/2.0.11
- version/symfony/2.0.12
- version/symfony/2.0.13
- version/symfony/2.0.14
- version/symfony/2.0.15
- version/symfony/2.0.16
- version/symfony/2.0.17
- version/symfony/2.0.18
- version/symfony/2.0.19
- version/symfony/2.0.20
- version/symfony/2.0.21
- version/symfony/2.0.22
- version/symfony/2.1.0
- version/symfony/2.1.1
- version/symfony/2.1.2
- version/symfony/2.1.3
- version/symfony/2.1.4
- version/symfony/2.1.5
- version/symfony/2.1.6
- version/symfony/2.1.7
- version/symfony/2.2.0
- version/symfony/2.2.1
- version/symfony/2.2.2
- version/symfony/2.2.3
- version/symfony/2.2.4
- version/symfony/2.2.5
- version/symfony/2.2.6
- version/symfony/2.2.8
- version/symfony/2.2.9
- version/symfony/2.2.10
- version/symfony/2.2.11
- version/symfony/2.3.19
- version/symfony/2.3.20
- version/symfony/2.3.21
- version/symfony/2.3.22
- version/symfony/2.3.23
- version/symfony/2.3.24
- version/symfony/2.3.25
- version/symfony/2.3.26
- version/symfony/2.4.1
- version/symfony/2.4.2
- version/symfony/2.4.3
- version/symfony/2.4.4
- version/symfony/2.4.5
- version/symfony/2.4.6
- version/symfony/2.4.7
- version/symfony/2.4.8
- version/symfony/2.4.9
- version/symfony/2.4.10
- version/symfony/2.5.1
- version/symfony/2.5.2
- version/symfony/2.5.3
- version/symfony/2.5.4
- version/symfony/2.5.5
- version/symfony/2.5.6
- version/symfony/2.5.7
- version/symfony/2.5.8
- version/symfony/2.5.9
- version/symfony/2.5.10
- version/symfony/2.6.0
- version/symfony/2.6.1
- version/symfony/2.6.3
- version/symfony/2.6.4
- version/symfony/2.6.5