CVE-2020-15094

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:sensiolabs:httpclient:*:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:httpclient:*:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*

History

21 Nov 2024, 05:04

Type Values Removed Values Added
References () https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78 - Patch, Third Party Advisory () https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78 - Patch, Third Party Advisory
References () https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r - Third Party Advisory () https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r - Third Party Advisory
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/ -
References () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/ -
References () https://packagist.org/packages/symfony/http-kernel - Product, Third Party Advisory () https://packagist.org/packages/symfony/http-kernel - Product, Third Party Advisory
References () https://packagist.org/packages/symfony/symfony - Product, Third Party Advisory () https://packagist.org/packages/symfony/symfony - Product, Third Party Advisory
CVSS v2 : 7.5
v3 : 8.8
v2 : 7.5
v3 : 8.0

07 Nov 2023, 03:17

Type Values Removed Values Added
References
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/', 'name': 'FEDORA-2020-1c549262f1', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/', 'name': 'FEDORA-2020-16eb328853', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/ -
  • () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/ -

Information

Published : 2020-09-02 18:15

Updated : 2024-11-21 05:04


NVD link : CVE-2020-15094

Mitre link : CVE-2020-15094

CVE.ORG link : CVE-2020-15094


JSON object : View

Products Affected

fedoraproject

  • fedora

sensiolabs

  • symfony
  • httpclient
CWE
CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer