VYPR
High severityGHSA Advisory· Published May 30, 2024

Code injection in the way Symfony implements translation caching in FrameworkBundle

CVE-2014-4931

Description

When investigating issue #11093, Jeremy Derussé found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle.

  • Your Symfony application is vulnerable if you meet the following conditions:

- You are using the Symfony translation system from FrameworkBundle (so basically if you are using Symfony full-stack -- you are not affected if you are using the Translation component with Silex for instance); You don't sanitize locales coming from a URL (any route with a _locale argument for instance):

When vulnerable, an attacker can submit a non-valid locale value that can contain some PHP code that will be executed by Symfony. That's because the locale value is dumped into a PHP file generated in the cache without being sanitized first.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
symfony/framework-bundlePackagist
>= 2.0.0, < 2.3.182.3.18
symfony/framework-bundlePackagist
>= 2.4.0, < 2.4.82.4.8
symfony/framework-bundlePackagist
>= 2.5.0, < 2.5.22.5.2
symfony/symfonyPackagist
>= 2.0.0, < 2.3.192.3.19
symfony/symfonyPackagist
>= 2.4.0, < 2.4.92.4.9
symfony/symfonyPackagist
>= 2.5.0, < 2.5.42.5.4

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.