CVE-2018-14774
Published: 3 August 2018
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
symfony Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| cosmic |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| disco |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| eoan |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| focal |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| groovy |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| hirsute |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| impish |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| jammy |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| kinetic |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| lunar |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| mantic |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(3.4.14+dfsg-1)
|
|
| xenial |
Needed
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.2 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |