CVE-2018-14773
First published: Wed Aug 01 2018(Updated: )
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/http-foundation | >=2.0.0<2.1.0>=2.1.0<2.2.0>=2.2.0<2.3.0>=2.3.0<2.4.0>=2.4.0<2.5.0>=2.5.0<2.6.0>=2.6.0<2.7.0>=2.7.0<2.7.49>=2.8.0<2.8.44>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.3.18>=3.4.0<3.4.14>=4.0.0<4.0.14>=4.1.0<4.1.3 | |
| composer/symfony/symfony | >=2.0.0<2.1.0>=2.1.0<2.2.0>=2.2.0<2.3.0>=2.3.0<2.4.0>=2.4.0<2.5.0>=2.5.0<2.6.0>=2.6.0<2.7.0>=2.7.0<2.7.49>=2.8.0<2.8.44>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.3.18>=3.4.0<3.4.14>=4.0.0<4.0.14>=4.1.0<4.1.3 | |
| composer/symfony/http-foundation | >=4.1.0<4.1.3 | 4.1.3 |
| composer/symfony/http-foundation | >=4.0.0<4.0.14 | 4.0.14 |
| composer/symfony/http-foundation | >=3.4.0<3.4.14 | 3.4.14 |
| composer/symfony/http-foundation | >=3.0.0<3.3.18 | 3.3.18 |
| composer/symfony/http-foundation | >=2.8.0<2.8.44 | 2.8.44 |
| composer/symfony/http-foundation | >=2.7.0<2.7.49 | 2.7.49 |
| SensioLabs Symfony | >2.7.0<=2.7.48 | |
| SensioLabs Symfony | >=2.8.0<=2.8.43 | |
| SensioLabs Symfony | >=3.3.0<=3.3.17 | |
| SensioLabs Symfony | >=3.4.0<=3.4.13 | |
| SensioLabs Symfony | >=4.0.0<=4.0.13 | |
| SensioLabs Symfony | >=4.1.0<=4.1.2 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Drupal Drupal | >=8.0.0<8.5.6 | |
| debian/symfony | 3.4.22+dfsg-2+deb10u1 3.4.22+dfsg-2+deb10u2 4.4.19+dfsg-2+deb11u3 5.4.23+dfsg-1 5.4.29+dfsg-1 5.4.30+dfsg-1 | |
| composer/symfony/symfony | >=4.1.0<4.1.3 | 4.1.3 |
| composer/symfony/symfony | >=4.0.0<4.0.14 | 4.0.14 |
| composer/symfony/symfony | >=3.4.0<3.4.14 | 3.4.14 |
| composer/symfony/symfony | >=3.0.0<3.3.18 | 3.3.18 |
| composer/symfony/symfony | >=2.8.0<2.8.44 | 2.8.44 |
| composer/symfony/symfony | >=2.7.0<2.7.49 | 2.7.49 |
| >2.7.0<=2.7.48 | ||
| >=2.8.0<=2.8.43 | ||
| >=3.3.0<=3.3.17 | ||
| >=3.4.0<=3.4.13 | ||
| >=4.0.0<=4.0.13 | ||
| >=4.1.0<=4.1.2 | ||
| =8.0 | ||
| =9.0 | ||
| >=8.0.0<8.5.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
- https://nvd.nist.gov/vuln/detail/CVE-2018-14773
- https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b
- https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
- https://seclists.org/bugtraq/2019/May/21
- https://www.debian.org/security/2019/dsa-4441
- https://www.drupal.org/SA-CORE-2018-005
- http://www.securityfocus.com/bid/104943
- http://www.securitytracker.com/id/1041405
- https://github.com/advisories/GHSA-8wgj-6wx8-h5hq (Advisory)
- https://security-tracker.debian.org/tracker/CVE-2018-14773
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-14773.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-14773.yaml
Frequently Asked Questions
What is CVE-2018-14773?
CVE-2018-14773 is a vulnerability in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2 that allows users to override the path in the request URL via the X… header.
What is the severity of CVE-2018-14773?
The severity of CVE-2018-14773 is medium, with a CVSS score of 6.5.
How does CVE-2018-14773 affect SensioLabs Symfony?
CVE-2018-14773 affects SensioLabs Symfony versions 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2.
How do I fix CVE-2018-14773 in Symfony?
To fix CVE-2018-14773 in Symfony, upgrade to version 4.1.3 or apply the appropriate patch for your version.
What is the Common Weakness Enumeration (CWE) of CVE-2018-14773?
The Common Weakness Enumeration (CWE) of CVE-2018-14773 is CWE-349.
- collector/friends-of-php
- collector/nvd-index
- collector/security-tracker-debian
- agent/type
- agent/author
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8wgj-6wx8-h5hq
- alias/CVE-2018-14773
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/last-modified-date
- agent/description
- agent/references
- agent/severity
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- package-manager/composer
- vendor/sensiolabs
- canonical/sensiolabs symfony
- version/sensiolabs symfony/2.7.48
- version/sensiolabs symfony/2.8.0
- version/sensiolabs symfony/2.8.43
- version/sensiolabs symfony/3.3.0
- version/sensiolabs symfony/3.3.17
- version/sensiolabs symfony/3.4.0
- version/sensiolabs symfony/3.4.13
- version/sensiolabs symfony/4.0.0
- version/sensiolabs symfony/4.0.13
- version/sensiolabs symfony/4.1.0
- version/sensiolabs symfony/4.1.2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/drupal
- canonical/drupal drupal
- version/drupal drupal/8.0.0
- package-manager/debian