CVE-2018-14774: Input Validation
First published: Fri Aug 03 2018(Updated: )
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/symfony | >=4.1.0<=4.1.2 | 4.1.3 |
| composer/symfony/symfony | >=4.0.0<=4.0.13 | 4.0.14 |
| composer/symfony/symfony | >=3.4.0<=3.4.13 | 3.4.14 |
| composer/symfony/symfony | >=3.3.0<=3.3.17 | 3.3.18 |
| composer/symfony/symfony | >=2.8.0<=2.8.43 | 2.8.44 |
| composer/symfony/symfony | >=2.7.0<=2.7.48 | 2.7.49 |
| Symfony | >=2.7.0<=2.7.48 | |
| Symfony | >=2.8.0<=2.8.43 | |
| Symfony | >=3.3.0<=3.3.17 | |
| Symfony | >=3.4.0<=3.4.13 | |
| Symfony | >=4.0.0<=4.0.13 | |
| Symfony | >=4.1.0<=4.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-14774?
The severity of CVE-2018-14774 is high with a severity value of 7.2.
How does CVE-2018-14774 affect Symfony?
CVE-2018-14774 affects Symfony versions 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2.
What is the remedy for CVE-2018-14774?
The remedy for CVE-2018-14774 is to upgrade Symfony to version 4.1.3, 4.0.14, 3.4.14, 3.3.18, 2.8.44, or 2.7.49.
What is the issue in CVE-2018-14774?
The issue in CVE-2018-14774 is the implicit trust of X-Forwarded-Host headers when using HttpCache in Symfony.
Where can I find more information about CVE-2018-14774?
More information about CVE-2018-14774 can be found at the following references: [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2018-14774), [GitHub](https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a), [Symfony Blog](https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache)
- collector/github-advisory-latest
- alias/GHSA-66p6-7p29-55p9
- alias/CVE-2018-14774
- collector/github-advisory
- agent/type
- agent/remedy
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/description
- agent/event
- agent/first-publish-date
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- package-manager/composer
- vendor/sensiolabs
- canonical/symfony
- version/symfony/2.7.0
- version/symfony/2.7.48
- version/symfony/2.8.0
- version/symfony/2.8.43
- version/symfony/3.3.0
- version/symfony/3.3.17
- version/symfony/3.4.0
- version/symfony/3.4.13
- version/symfony/4.0.0
- version/symfony/4.0.13
- version/symfony/4.1.0
- version/symfony/4.1.2