CVE-2014-5245

Name of the Vulnerable Software and Affected Versions Symfony HttpKernel component versions 2.2.X through 2.5.X

Description This issue affects applications with the ESI feature enabled and a proxy in front of the web application. The FragmentHandler considers requests to render fragments as coming from a trusted source, even if the client requests them directly, due to the inability to distinguish between ESI requests done by a proxy like Varnish and faked fragment requests coming directly from the client.

Recommendations For Symfony 2.3.X, update to version 2.3.19 or later. For Symfony 2.4.X, update to version 2.4.9 or later. For Symfony 2.5.X, update to version 2.5.4 or later. For Symfony 2.2.X, no official fix is provided as it is not maintained anymore; consider using the Varnish configuration workaround: sub vcl recv { if (req.restarts == 0 && req.url ~ "^/ fragment") { error 400; } }