CVE-2024-50342

06.11.2024, 21:15

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.1 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
GitHub_M	CNA	3.1 LOW	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Vendor	Product	Version
sensiolabs	httpclient	𝑥 < 5.4.46
sensiolabs	httpclient	6.0.0 ≤ 𝑥 < 6.4.14
sensiolabs	httpclient	7.0.0 ≤ 𝑥 < 7.1.7

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

symfony

bullseye	4.4.19+dfsg-2+deb11u6 not-affected
bullseye (security)	4.4.19+dfsg-2+deb11u7 fixed
bookworm	5.4.23+dfsg-1+deb12u4 fixed
bookworm (security)	5.4.23+dfsg-1+deb12u4 fixed
trixie	6.4.21+dfsg-2 fixed
forky	7.4.2+dfsg-2 fixed
sid	7.4.3+dfsg-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

symfony

questing	needs-triage
plucky	needs-triage
oracular	ignored
noble	Fixed 6.4.5+dfsg-3ubuntu3+esm1 released
jammy	Fixed 5.4.4+dfsg-1ubuntu8+esm1 released
focal	not-affected
bionic	not-affected
xenial	not-affected

Common Weakness Enumeration

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References

https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b

https://github.com/symfony/symfony/security/advisories/GHSA-9c3x-r3wp-mgxm