CVE-2015-2309

Name of the Vulnerable Software and Affected Versions Symfony HttpFoundation component versions 2.0.X through 2.6.X

Description The issue affects the SymfonyComponentHttpFoundationRequest class, which has a mechanism to ensure it does not trust HTTP header values coming from a "non-trusted" client. However, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request, allowing a man-in-the-middle attack between the latest trusted proxy and the web server. The impacted methods are getPort(), isSecure(), getHost(), and getClientIps().

Recommendations For Symfony 2.3.X, update to version 2.3.27 to resolve the issue. For Symfony 2.5.X, update to version 2.5.11 to resolve the issue. For Symfony 2.6.X, update to version 2.6.6 to resolve the issue. For Symfony 2.0, 2.1, 2.2, and 2.4, no fixes are provided as they are not maintained anymore.