What is CVE-2020-15094?

CVE-2020-15094 is a vulnerability in the Symfony HttpClient component that allows remote code execution (RCE) when calling an untrusted remote.

What is the severity of CVE-2020-15094?

CVE-2020-15094 has a severity value of 8.8, which is considered high.

Which software packages are affected by CVE-2020-15094?

The affected software packages include Symfony HttpKernel and Symfony HttpClient versions 4.3.0 up to 4.4.13, and versions 5.0.0 up to 5.1.5. It also affects Sensiolabs Httpclient versions 4.4.0 up to 4.4.13 and versions 5.1.0 up to 5.1.5, as well as Sensiolabs Symfony versions 4.4.0 up to 4.4.13 and versions 5.1.0 up to 5.1.5.

How does the CachingHttpClient class in Symfony handle requests?

The CachingHttpClient class in Symfony relies on the HttpCache class to handle requests.

What headers does the HttpCache class use to control the restoration of cached responses?

The HttpCache class uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses.

Vulnerability/
CVE-2020-15094

high

8.8

CWE

212

2/9/2020

4/8/2024

CVE-2020-15094: RCE in Symfony

First published: Wed Sep 02 2020(Updated: )

CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
composer/symfony/http-kernel	>=4.3.0<4.4.0>=4.4.0<4.4.13>=5.0.0<5.1.0>=5.1.0<5.1.5
composer/symfony/symfony	>=4.3.0<4.4.0>=4.4.0<4.4.13>=5.0.0<5.1.0>=5.1.0<5.1.5
Sensiolabs Httpclient	>=4.4.0<4.4.13
Sensiolabs Httpclient	>=5.1.0<5.1.5
SensioLabs Symfony	>=4.4.0<4.4.13
SensioLabs Symfony	>=5.1.0<5.1.5
Fedoraproject Fedora	=32
Fedoraproject Fedora	=33
composer/symfony/symfony	>=4.3.0<4.4.13	4.4.13
composer/symfony/http-kernel	>=4.3.0<4.4.13	4.4.13
composer/symfony/symfony	>=5.0.0<5.1.5	5.1.5
composer/symfony/http-kernel	>=5.0.0<5.1.5	5.1.5

Remedy

https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-15094?
CVE-2020-15094 is a vulnerability in the Symfony HttpClient component that allows remote code execution (RCE) when calling an untrusted remote.
What is the severity of CVE-2020-15094?
CVE-2020-15094 has a severity value of 8.8, which is considered high.
Which software packages are affected by CVE-2020-15094?
The affected software packages include Symfony HttpKernel and Symfony HttpClient versions 4.3.0 up to 4.4.13, and versions 5.0.0 up to 5.1.5. It also affects Sensiolabs Httpclient versions 4.4.0 up to 4.4.13 and versions 5.1.0 up to 5.1.5, as well as Sensiolabs Symfony versions 4.4.0 up to 4.4.13 and versions 5.1.0 up to 5.1.5.
How does the CachingHttpClient class in Symfony handle requests?
The CachingHttpClient class in Symfony relies on the HttpCache class to handle requests.
What headers does the HttpCache class use to control the restoration of cached responses?
The HttpCache class uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses.

collector/friends-of-php
collector/nvd-index
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-754h-5r27-7x3r
alias/CVE-2020-15094
agent/software-canonical-lookup
agent/severity
agent/weakness
agent/remedy
agent/softwarecombine
agent/description
collector/nvd-cve
source/NVD
agent/references
agent/author
collector/github-advisory
collector/mitre-cve
source/MITRE
agent/title
agent/last-modified-date
agent/tags
agent/event
package-manager/composer
vendor/sensiolabs
canonical/sensiolabs httpclient
version/sensiolabs httpclient/4.4.0
version/sensiolabs httpclient/5.1.0
canonical/sensiolabs symfony
version/sensiolabs symfony/4.4.0
version/sensiolabs symfony/5.1.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/32
version/fedoraproject fedora/33