CVE-2018-14774

HIGH

Symfony <4.1.3 - Host Header Injection

Title source: llm

Description

An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.

References (2)

[Issue Tracking, Patch, Third Party Advisory] https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a

View Patch ZIP pw:eip

[Patch, Third Party Advisory] https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache

Scores

CVSS v3 7.2

EPSS 0.0014

EPSS Percentile 33.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Classification

CWE

CWE-20

Status published

Affected Products (2)

sensiolabs/symfony < 2.7.48

symfony/symfony < 2.7.49Packagist

Timeline

Published Aug 03, 2018

Tracked Since Feb 18, 2026