{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-08-01T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-08-03T16:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-14774", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a", "refsource": "CONFIRM", "url": "https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a"}, {"name": "https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache", "refsource": "CONFIRM", "url": "https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:38:13.918Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-14774", "datePublished": "2018-08-03T17:00:00", "dateReserved": "2018-07-31T00:00:00", "dateUpdated": "2024-08-05T09:38:13.918Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1F1C03F-7091-4ECC-8DAB-646D12E07EBE", "versionEndIncluding": "2.7.48", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "D9158CA7-0193-4342-9A09-126D8F667591", "versionEndIncluding": "2.8.43", "versionStartIncluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "933F48FF-3D58-455A-85D5-563A5C454020", "versionEndIncluding": "3.3.17", "versionStartIncluding": "3.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "09200F9D-A68B-4322-9626-7A869EC1E18A", "versionEndIncluding": "3.4.13", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "77747DC8-9E86-4619-A98F-CAC8BF7BA7B7", "versionEndIncluding": "4.0.13", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "0261DC21-9664-4D09-AE19-632C0D083D48", "versionEndIncluding": "4.1.2", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection."}, {"lang": "es", "value": "Se ha descubierto un problema en HttpKernel en Symfony, desde la versi\u00f3n 2.7.0 hasta la 2.7.48, desde la versi\u00f3n 2.8.0 hasta la 2.8.43, desde la versi\u00f3n 3.3.0 hasta la 3.3.17, desde la versi\u00f3n 3.4.0 hasta la 3.4.13, desde la versi\u00f3n 4.0.0 hasta la 4.0.13 y desde la versi\u00f3n 4.1.0 hasta la 4.1.2. Al emplear HttpCache, los valores de las cabeceras X-Forwarded-Host se asignan impl\u00edcitamente como fiables, aunque deber\u00eda estar prohibido, lo que conduce a una potencial inyecci\u00f3n de cabeceras host."}], "id": "CVE-2018-14774", "lastModified": "2024-11-21T03:49:45.740", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-03T17:29:00.347", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/commit/725dee4cd8b4ccd52e335ae4b4522242cea9bd4a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://symfony.com/blog/cve-2018-14774-possible-host-header-injection-when-using-httpcache"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}