Low severityNVD Advisory· Published Mar 30, 2020· Updated Aug 4, 2024
Prevent cache poisoning via a Response Content-Type header
CVE-2020-5255
Description
In Symfony before versions 4.4.7 and 5.0.7, when a Response does not contain a Content-Type header, affected versions of Symfony can fallback to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/http-foundationPackagist | >= 4.4.0, < 4.4.7 | 4.4.7 |
symfony/http-foundationPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
symfony/symfonyPackagist | >= 4.4.0, < 4.4.7 | 4.4.7 |
symfony/symfonyPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
Affected products
4- osv-coords3 versions
>= 4.4.0, < 4.4.7+ 2 more
- (no CPE)range: >= 4.4.0, < 4.4.7
- (no CPE)range: >= 4.4.0, < 4.4.7
- (no CPE)range: >= 4.4.0, < 4.4.7
- Range: >= 4.4.0 and < 4.4.7
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-mcx4-f5f5-4859ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-5255ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2020-5255.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5255.yamlghsaWEB
- github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6ghsax_refsource_MISCWEB
- github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859ghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQghsaWEB
- symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-headerghsax_refsource_MISCWEB
- symfony.com/cve-2020-5255ghsaWEB
News mentions
0No linked articles in our index yet.