Candidate: CVE-2021-41267
PublicDate: 2021-11-24 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41267
 https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q
 https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487 (v5.3.12)
 https://github.com/symfony/symfony/releases/tag/v5.3.12
 https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
 https://github.com/symfony/symfony/pull/44243
Description:
 Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP
 framework for web and console applications and a set of reusable PHP
 components. Headers that are not part of the "trusted_headers" allowed list
 are ignored and protect users from "Cache poisoning" attacks. In Symfony
 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but
 this header was accessible in SubRequest, even if it was not part of the
 "trusted_headers" allowed list. An attacker could leverage this opportunity
 to forge requests containing a `X-Forwarded-Prefix` header, leading to a
 web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure
 that the `X-Forwarded-Prefix` header is not forwarded to subrequests when
 it is not trusted.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N [6.5 MEDIUM]


Patches_symfony:
 upstream: https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
upstream_symfony: not-affected (debian: Vulnerable code never in released version in unstable)
trusty_symfony: ignored (out of standard support)
xenial_symfony: ignored (out of standard support)
bionic_symfony: not-affected (code not present)
focal_symfony: not-affected (code not present)
hirsute_symfony: ignored (reached end-of-life)
impish_symfony: needed
jammy_symfony: needed
devel_symfony: needed