Name of the Vulnerable Software and Affected Versions Symfony2 versions prior to the introduction of the fix

Description The issue arises when an application relies on the client IP address returned by the Request::getClientIp() method for making sensitive decisions, such as IP-based access control. This can be exploited due to the trust proxy mode. The estimated number of potentially affected devices is not specified. There is no information about real-world incidents where this issue was exploited. Technical details include the use of the Request::getClientIp() method and the Request::trustProxyData() method, which has been deprecated in favor of Request::setTrustedProxies(). The Request::setTrustedProxies() method takes an array of trusted proxy IP addresses as its argument.

Recommendations For all versions of Symfony2, upgrade to the latest version as soon as possible. Alternatively, apply the provided patches: