CVE-2020-15094 (High) detected in symfony/http-kernel-v4.4.8

[mend-bolt-for-github[bot]]

CVE-2020-15094 - High Severity Vulnerability

Vulnerable Library - symfony/http-kernel-v4.4.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/1799a6c01f0db5851f399151abdb5d6393fec277

Dependency Hierarchy: - behat/behat-v3.6.1 (Root Library) - symfony/translation-v4.4.18 - :x: **symfony/http-kernel-v4.4.8** (Vulnerable Library)

Found in HEAD commit: a9a6ea56561fe388debc15645b563aba771437b4

Found in base branch: develop

Vulnerability Details

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Publish Date: 2020-09-02

URL: CVE-2020-15094

CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r

Release Date: 2020-07-21

Fix Resolution: 4.4.13,5.1.5

---

Step up your Open Source Security Game with WhiteSource here

[devon-sil]

No longer using whitesource & this is too far out of date.