CVE-2020-15094

02.09.2020, 18:15

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
GitHub_M	CNA	8 HIGH	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 83%

Vendor	Product	Version
sensiolabs	httpclient	4.4.0 ≤ 𝑥 < 4.4.13
sensiolabs	httpclient	5.1.0 ≤ 𝑥 < 5.1.5
sensiolabs	symfony	4.4.0 ≤ 𝑥 < 4.4.13
sensiolabs	symfony	5.1.0 ≤ 𝑥 < 5.1.5

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

symfony

bullseye	4.4.19+dfsg-2+deb11u6 fixed
buster	not-affected
stretch	not-affected
bookworm	5.4.23+dfsg-1+deb12u2 fixed
sid	6.4.13+dfsg-1 fixed
trixie	6.4.13+dfsg-1 fixed