search

nexmo-community / befriending-service-with-symfony

MIT License
0 stars 1 forks source link

symfony/maker-bundle-v1.17.0: 3 vulnerabilities (highest severity is: 8.8) - autoclosed #7

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - symfony/maker-bundle-v1.17.0

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-15094 High 8.8 symfony/http-kernel-v5.0.8 Transitive N/A
CVE-2021-41267 Medium 6.5 symfony/http-kernel-v5.0.8 Transitive N/A
CVE-2021-21424 Medium 5.3 symfony/security-core-v5.0.8 Transitive N/A

Details

CVE-2020-15094 ### Vulnerable Library - symfony/http-kernel-v5.0.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3565e51eecd06106304baba5ccb7ba89db2d7d2b

Dependency Hierarchy: - symfony/maker-bundle-v1.17.0 (Root Library) - :x: **symfony/http-kernel-v5.0.8** (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

### Vulnerability Details

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Publish Date: 2020-09-02

URL: CVE-2020-15094

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r

Release Date: 2020-09-25

Fix Resolution: 4.4.13,5.1.5

CVE-2021-41267 ### Vulnerable Library - symfony/http-kernel-v5.0.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3565e51eecd06106304baba5ccb7ba89db2d7d2b

Dependency Hierarchy: - symfony/maker-bundle-v1.17.0 (Root Library) - :x: **symfony/http-kernel-v5.0.8** (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

### Vulnerability Details

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted.

Publish Date: 2021-11-24

URL: CVE-2021-41267

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q

Release Date: 2021-11-24

Fix Resolution: v5.3.12

CVE-2021-21424 ### Vulnerable Library - symfony/security-core-v5.0.8

Symfony Security Component - Core Library

Library home page: https://api.github.com/repos/symfony/security-core/zipball/5945abf1e64df5fdfb6aae9753c04f130fe96010

Dependency Hierarchy: - symfony/maker-bundle-v1.17.0 (Root Library) - :x: **symfony/security-core-v5.0.8** (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

### Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

Publish Date: 2021-05-13

URL: CVE-2021-21424

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68

Release Date: 2021-05-13

Fix Resolution: v3.4.48,v4.4.23,v5.2.8

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.