Symfony Host Header Injection
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Oct 6, 2023
Package
Affected versions
>= 2.7.0, <= 2.7.48
>= 2.8.0, <= 2.8.43
>= 3.3.0, <= 3.3.17
>= 3.4.0, <= 3.4.13
>= 4.0.0, <= 4.0.13
>= 4.1.0, <= 4.1.2
Patched versions
2.7.49
2.8.44
3.3.18
3.4.14
4.0.14
4.1.3
Description
Published by the National Vulnerability Database
Aug 3, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 25, 2023
Last updated
Oct 6, 2023
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
References