Medium severity5.3NVD Advisory· Published Nov 10, 2017· Updated May 13, 2026
CVE-2017-16754
CVE-2017-16754
Description
Bolt before 3.3.6 does not properly restrict access to _profiler routes, related to EventListener/ProfilerListener.php and Provider/EventListenerServiceProvider.php.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bolt/boltPackagist | < 3.3.6 | 3.3.6 |
Affected products
1Patches
1aa2178724194Request listener to prevent access to profiler routes
2 files changed · +86 −0
src/EventListener/ProfilerListener.php+74 −0 added@@ -0,0 +1,74 @@ +<?php + +namespace Bolt\EventListener; + +use Bolt\AccessControl\Token\Token; +use Bolt\Request\ProfilerAwareTrait; +use Symfony\Component\EventDispatcher\EventSubscriberInterface; +use Symfony\Component\HttpFoundation\Session\SessionInterface; +use Symfony\Component\HttpKernel\Event\GetResponseEvent; +use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; +use Symfony\Component\HttpKernel\KernelEvents; + +/** + * Symfony Profiler listener. + * + * @author Gawain Lynch <gawain.lynch@gmail.com> + */ +class ProfilerListener implements EventSubscriberInterface +{ + use ProfilerAwareTrait; + + /** @var SessionInterface */ + private $session; + /** @var bool */ + private $debug; + /** @var bool */ + private $debugLoggedOff; + + /** + * Constructor. + * + * @param SessionInterface $session + * @param bool $debug + * @param bool $debugLoggedOff + */ + public function __construct(SessionInterface $session, $debug, $debugLoggedOff) + { + $this->session = $session; + $this->debug = $debug; + $this->debugLoggedOff = $debugLoggedOff; + } + + /** + * Request listener to prevent access to profiler routes when debugging is + * not enabled, or the user is logged off & debugging is not configured to + * show when logged off. + * + * @param GetResponseEvent $event + */ + public function onKernelRequest(GetResponseEvent $event) + { + $request = $event->getRequest(); + if (!$this->isProfilerRequest($request)) { + return; + } + + $token = $this->session->isStarted() ? $this->session->get('authentication') : null; + if ($this->debug && ($token instanceof Token || $this->debugLoggedOff)) { + return; + } + + throw new NotFoundHttpException(); + } + + /** + * {@inheritdoc} + */ + public static function getSubscribedEvents() + { + return [ + KernelEvents::REQUEST => ['onKernelRequest'], + ]; + } +}
src/Provider/EventListenerServiceProvider.php+12 −0 modified@@ -130,6 +130,16 @@ function ($app) { return new Listener\ZoneGuesser($app); } ); + + $app['listener.profile'] = $app->share( + function ($app) { + return new Listener\ProfilerListener( + $app['session'], + $app['debug'], + $app['config']->get('general/debug_show_loggedoff') + ); + } + ); } public function boot(Application $app) @@ -160,5 +170,7 @@ public function boot(Application $app) if (isset($app['listener.exception']) && !$app['config']->get('general/debug_error_use_symfony')) { $dispatcher->addSubscriber($app['listener.exception']); } + + $dispatcher->addSubscriber($app['listener.profile']); } }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/bolt/bolt/commit/aa21787241945457a2e4abc8b079672935fe0840nvdPatchThird Party AdvisoryWEB
- www.securityfocus.com/bid/101777nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-wr23-m9m2-jjf4ghsaADVISORY
- github.com/bolt/bolt/releases/tag/v3.3.6nvdRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-16754ghsaADVISORY
News mentions
0No linked articles in our index yet.