CVE-2021-41267 - OpenCVE

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sensiolabs	Symfony

Configuration 1 [-]

cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487
https://github.com/symfony/symfony/pull/44243
https://github.com/symfony/symfony/releases/tag/v5.3.12
https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-11-24T18:55:17

Updated: 2024-08-04T03:08:31.656Z

Reserved: 2021-09-15T00:00:00

Link: CVE-2021-41267

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-11-24T19:15:07.737

Modified: 2021-11-30T18:52:27.077

Link: CVE-2021-41267

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "symfony", "vendor": "symfony", "versions": [{"status": "affected", "version": ">= 5.2.0, < 5.3.12"}]}], "descriptions": [{"lang": "en", "value": "Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the \"trusted_headers\" allowed list are ignored and protect users from \"Cache poisoning\" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the \"trusted_headers\" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-11-24T18:55:17", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/symfony/symfony/pull/44243"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487"}], "source": {"advisory": "GHSA-q3j3-w37x-hq2q", "discovery": "UNKNOWN"}, "title": "Webcache Poisoning in Symfony", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41267", "STATE": "PUBLIC", "TITLE": "Webcache Poisoning in Symfony"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "symfony", "version": {"version_data": [{"version_value": ">= 5.2.0, < 5.3.12"}]}}]}, "vendor_name": "symfony"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the \"trusted_headers\" allowed list are ignored and protect users from \"Cache poisoning\" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the \"trusted_headers\" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/symfony/symfony/pull/44243", "refsource": "MISC", "url": "https://github.com/symfony/symfony/pull/44243"}, {"name": "https://github.com/symfony/symfony/releases/tag/v5.3.12", "refsource": "MISC", "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"}, {"name": "https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q", "refsource": "CONFIRM", "url": "https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q"}, {"name": "https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487", "refsource": "MISC", "url": "https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487"}]}, "source": {"advisory": "GHSA-q3j3-w37x-hq2q", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:08:31.656Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/symfony/symfony/pull/44243"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41267", "datePublished": "2021-11-24T18:55:17", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T03:08:31.656Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "03A20B5C-F577-4E27-90BD-CB0689E7C602", "versionEndExcluding": "5.3.12", "versionStartIncluding": "5.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the \"trusted_headers\" allowed list are ignored and protect users from \"Cache poisoning\" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the \"trusted_headers\" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted."}, {"lang": "es", "value": "Symfony/Http-Kernel es el componente del n\u00facleo HTTP de Symfony, un framework PHP para aplicaciones web y de consola y un conjunto de componentes PHP reusables. Los encabezados que no forman parte de la lista permitida \"trusted_headers\" son ignoradas y protegen a los usuarios de ataques de \"Cache poisoning\". En Symfony versi\u00f3n 5.2, los mantenedores a\u00f1adieron soporte para los encabezados \"X-Forwarded-Prefix\", pero este encabezado era accesible en SubRequest, incluso si no era parte de la lista permitida \"trusted_headers\". Un atacante podr\u00eda aprovechar esta oportunidad para falsificar peticiones que contengan un encabezado \"X-Forwarded-Prefix\", conllevando aun problema de envenenamiento de la cach\u00e9 web. Las versiones 5.3.12 y posteriores presentan un parche para asegurar que el encabezado \"X-Forwarded-Prefix\" no es reenviado a las subpeticiones cuando no es confiable"}], "id": "CVE-2021-41267", "lastModified": "2021-11-30T18:52:27.077", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Primary"}]}, "published": "2021-11-24T19:15:07.737", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/pull/44243"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Primary"}]}