In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.
CVE-2020-15094 - High Severity Vulnerability
Vulnerable Library - symfony/http-kernel-v4.4.8
Symfony HttpKernel Component
Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/1799a6c01f0db5851f399151abdb5d6393fec277
Dependency Hierarchy: - behat/behat-v3.6.1 (Root Library) - symfony/translation-v4.4.18 - :x: **symfony/http-kernel-v4.4.8** (Vulnerable Library)
Found in HEAD commit: a9a6ea56561fe388debc15645b563aba771437b4
Found in base branch: develop
Vulnerability Details
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.
Publish Date: 2020-09-02
URL: CVE-2020-15094
CVSS 3 Score Details (8.8)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r
Release Date: 2020-07-21
Fix Resolution: 4.4.13,5.1.5
Step up your Open Source Security Game with WhiteSource here