CVE-2014-5244: Symfony vulnerable to denial of service via a malicious HTTP Host header
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
symfony/http-foundation | composer | >= 2.0.0, < 2.3.19 | 2.3.19 |
symfony/http-foundation | composer | >= 2.4.0, < 2.4.9 | 2.4.9 |
symfony/http-foundation | composer | >= 2.5.0, < 2.5.4 | 2.5.4 |
symfony/symfony | composer | >= 2.0.0, < 2.3.19 | 2.3.19 |
symfony/symfony | composer | >= 2.4.0, < 2.4.9 | 2.4.9 |
symfony/symfony | composer | >= 2.5.0, < 2.5.4 | 2.5.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems directly from Request::getHost()
's host validation implementation. Multiple sources confirm: 1) The advisory explicitly mentions this method as the attack vector 2) The patch modifies host validation regex in HttpFoundation
3) Commit 5506ee8 titled 'Fix potential DoS when parsing HOST' targets this functionality 4) CWE-1333 specifically describes regex inefficiency vulnerabilities. The function's role in parsing untrusted Host headers using a vulnerable regex makes it the clear entry point for this DoS attack.