Code injection in the way Symfony implements translation caching in FrameworkBundle
Description
When investigating issue #11093, Jeremy Derussé found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle.
- Your Symfony application is vulnerable if you meet the following conditions:
- You are using the Symfony translation system from FrameworkBundle (so basically if you are using Symfony full-stack -- you are not affected if you are using the Translation component with Silex for instance); You don't sanitize locales coming from a URL (any route with a _locale argument for instance):
When vulnerable, an attacker can submit a non-valid locale value that can contain some PHP code that will be executed by Symfony. That's because the locale value is dumped into a PHP file generated in the cache without being sanitized first.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/framework-bundlePackagist | >= 2.0.0, < 2.3.18 | 2.3.18 |
symfony/framework-bundlePackagist | >= 2.4.0, < 2.4.8 | 2.4.8 |
symfony/framework-bundlePackagist | >= 2.5.0, < 2.5.2 | 2.5.2 |
symfony/symfonyPackagist | >= 2.0.0, < 2.3.19 | 2.3.19 |
symfony/symfonyPackagist | >= 2.4.0, < 2.4.9 | 2.4.9 |
symfony/symfonyPackagist | >= 2.5.0, < 2.5.4 | 2.5.4 |
Affected products
3- ghsa-coords2 versions
>= 2.0.0, < 2.3.18+ 1 more
- (no CPE)range: >= 2.0.0, < 2.3.18
- (no CPE)range: >= 2.0.0, < 2.3.19
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-wfv7-5x33-v22hghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2014-4931.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-4931.yamlghsaWEB
- github.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af.patchghsaWEB
- symfony.com/blog/security-releases-cve-2014-4931-symfony-2-3-18-2-4-8-and-2-5-2-releasedghsaWEB
News mentions
0No linked articles in our index yet.