search

nexmo-community / messaging-aws-sqs-dynamodb-php

AWS Lambda function created in PHP that once triggered, moves a message from SQS into DynamoDB.
MIT License
2 stars 1 forks source link

symfony/yaml-v5.1.0: 1 vulnerabilities (highest severity is: 8.8) - autoclosed #7

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - symfony/yaml-v5.1.0

Found in HEAD commit: a98b02cc6219479db20e92032a8c3cb68016cfdb

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-15094 High 8.8 symfony/http-client-v5.1.0 Transitive N/A

Details

CVE-2020-15094 ### Vulnerable Library - symfony/http-client-v5.1.0

Symfony HttpClient component

Library home page: https://api.github.com/repos/symfony/http-client/zipball/63342eabdc6fc6c12e6b18506a207d16687aa33f

Dependency Hierarchy: - symfony/yaml-v5.1.0 (Root Library) - symfony/console-v5.1.0 - symfony/string-v5.1.0 - :x: **symfony/http-client-v5.1.0** (Vulnerable Library)

Found in HEAD commit: a98b02cc6219479db20e92032a8c3cb68016cfdb

Found in base branch: main

### Vulnerability Details

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Publish Date: 2020-09-02

URL: CVE-2020-15094

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r

Release Date: 2020-09-25

Fix Resolution: 4.4.13,5.1.5

mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.