CVE-2018-14773

MEDIUM

Symfony <4.1.2 - Path Traversal

Title source: llm
STIX 2.1

Description

An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.

References (8)

Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104943
Patch, Third Party Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2018-005
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041405
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4441
Issue Tracking, Mailing List, Third Party Advisory mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/May/21

Scores

CVSS v3 6.5
EPSS 0.1665
EPSS Percentile 94.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

Status published
Products (6)
debian/debian_linux 8.0
debian/debian_linux 9.0
drupal/drupal 8.0.0 - 8.5.6
sensiolabs/symfony 2.7.0 - 2.7.48
symfony/http-foundation 2.7.0 - 2.7.49Packagist
symfony/symfony 2.7.0 - 2.7.49Packagist
Published Aug 03, 2018
Tracked Since Feb 18, 2026