Webcache Poisoning in Symfony
Description
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the X-Forwarded-Prefix header is not forwarded to subrequests when it is not trusted.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/http-kernelPackagist | >= 5.2.0, < 5.3.12 | 5.3.12 |
symfony/symfonyPackagist | >= 5.2.0, < 5.3.12 | 5.3.12 |
Affected products
7- osv-coords6 versionspkg:bitnami/symfonypkg:composer/symfony/http-kernelpkg:composer/symfony/symfonypkg:deb/ubuntu/symfony@5.4.4+dfsg-1ubuntu8?arch=source&distro=jammypkg:deb/ubuntu/symfony@6.4.10+dfsg-1ubuntu1?arch=source&distro=oracularpkg:deb/ubuntu/symfony@6.4.5+dfsg-3ubuntu3?arch=source&distro=noble
>= 5.2.0, < 5.3.12+ 5 more
- (no CPE)range: >= 5.2.0, < 5.3.12
- (no CPE)range: >= 5.2.0, < 5.3.12
- (no CPE)range: >= 5.2.0, < 5.3.12
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- Range: >= 5.2.0, < 5.3.12
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-q3j3-w37x-hq2qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41267ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2021-41267.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41267.yamlghsaWEB
- github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487ghsax_refsource_MISCWEB
- github.com/symfony/symfony/pull/44243ghsax_refsource_MISCWEB
- github.com/symfony/symfony/releases/tag/v5.3.12ghsax_refsource_MISCWEB
- github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2qghsax_refsource_CONFIRMWEB
- symfony.com/cve-2021-41267ghsaWEB
News mentions
0No linked articles in our index yet.