github - ghsa-754h-5r27-7x3r

GHSA-754H-5R27-7X3R

Vulnerability from github – Published: 2020-09-02 17:29 – Updated: 2023-01-24 18:07

Summary

RCE in Symfony

Details

Description

The CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible.

Resolution

HTTP headers designed for internal use in HttpCache are now stripped from remote responses before being passed to HttpCache.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

Severity ?

8.0 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/http-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/http-kernel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.4.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.1.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-15094"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-212"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-09-02T17:29:29Z",
    "nvd_published_at": "2020-09-02T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "Description\n-----------\n\nThe `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible.\n\nResolution\n----------\n\nHTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch.\n\nCredits\n-------\n\nI would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.",
  "id": "GHSA-754h-5r27-7x3r",
  "modified": "2023-01-24T18:07:50Z",
  "published": "2020-09-02T17:29:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15094"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2020-15094.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-15094.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/symfony/http-kernel"
    },
    {
      "type": "WEB",
      "url": "https://packagist.org/packages/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2020-15094"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "RCE in Symfony"
}

CVE-2020-15094 (GCVE-0-2020-15094)

Vulnerability from cvelistv5 – Published: 2020-09-02 17:35 – Updated: 2024-08-04 13:08

Summary

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Severity ?

8 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

CWE

CWE-212 - {"CWE-212":"Improper Removal of Sensitive Information Before Storage or Transfer"}

Assigner

GitHub_M

References

URL

Tags

	https://github.com/symfony/symfony/security/advis…	x_refsource_CONFIRM
	https://github.com/symfony/symfony/commit/d9910e0…	x_refsource_MISC
	https://packagist.org/packages/symfony/symfony	x_refsource_MISC
	https://packagist.org/packages/symfony/http-kernel	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA

Impacted products

	Vendor	Product	Version
	symfony	symfony	Affected: >= 4.4.0, < 4.4.13 Affected: >= 5.0.0, < 5.1.5

Show details on NVD website