CVE-2018-14773

Name of the Vulnerable Software and Affected Versions Symfony versions 2.7.0 through 2.7.48 Symfony versions 2.8.0 through 2.8.43 Symfony versions 3.3.0 through 3.3.17 Symfony versions 3.4.0 through 3.4.13 Symfony versions 4.0.0 through 4.0.13 Symfony versions 4.1.0 through 4.1.2

Description The issue arises from the support for a legacy IIS header that allows users to override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. This can be exploited by a remote attacker to impact the integrity of protected data. The vulnerability affects the SymfonyComponentHttpFoundationRequest::prepareRequestUri() function, where X-Original-URL and X REWRITE URL are used. The exploitation of this issue can lead to web cache poisoning.

Recommendations For Symfony versions 2.7.0 through 2.7.48, update to a version that drops support for the X-Original-URL and X-Rewrite-URL methods. For Symfony versions 2.8.0 through 2.8.43, update to a version that drops support for the X-Original-URL and X-Rewrite-URL methods. For Symfony versions 3.3.0 through 3.3.17, update to a version that drops support for the X-Original-URL and X-Rewrite-URL methods. For Symfony versions 3.4.0 through 3.4.13, update to a version that drops support for the X-Original-URL and X-Rewrite-URL methods. For Symfony versions 4.0.0 through 4.0.13, update to a version that drops support for the X-Original-URL and X-Rewrite-URL methods. For Symfony versions 4.1.0 through 4.1.2, update to a version that drops support for the X-Original-URL and X-Rewrite-URL methods. As a temporary workaround, consider disabling the use of the X-Original-URL and X-Rewrite-URL headers in the prepareRequestUri() function until a patch is available.