CVE-2024-50342

EUVD-2024-3230

06.11.2024, 21:15

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.1 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	3.1 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Affected Products (NVD)

Vendor	Product	Version
sensiolabs	httpclient	𝑥 < 5.4.46
sensiolabs	httpclient	6.0.0 ≤ 𝑥 < 6.4.14
sensiolabs	httpclient	7.0.0 ≤ 𝑥 < 7.1.7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

symfony

bookworm	5.4.23+dfsg-1+deb12u4 fixed
bookworm (security)	5.4.23+dfsg-1+deb12u4 fixed
bullseye	4.4.19+dfsg-2+deb11u6 not-affected
bullseye (security)	4.4.19+dfsg-2+deb11u7 fixed
forky	7.4.2+dfsg-2 fixed
sid	7.4.3+dfsg-1 fixed
trixie	6.4.21+dfsg-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

symfony

bionic	not-affected
focal	not-affected
jammy	Fixed 5.4.4+dfsg-1ubuntu8+esm1 released
noble	Fixed 6.4.5+dfsg-3ubuntu3+esm1 released
oracular	ignored
plucky	needs-triage
questing	needs-triage
xenial	not-affected

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b

https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm