Description
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
References (2)
Core 2
Core References
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a
Patch, Third Party Advisory x_refsource_confirm
https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache
Scores
CVSS v3
7.2
EPSS
0.0015
EPSS Percentile
35.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Details
CWE
CWE-20
Status
published
Products (2)
sensiolabs/symfony
2.7.0 - 2.7.48
symfony/symfony
2.7.0 - 2.7.49Packagist
Published
Aug 03, 2018
Tracked Since
Feb 18, 2026