Miggo Logo

CVE-2014-5244: Symfony vulnerable to denial of service via a malicious HTTP Host header

7.5

CVSS Score
3.1

Basic Information

EPSS Score
-
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
symfony/http-foundationcomposer>= 2.0.0, < 2.3.192.3.19
symfony/http-foundationcomposer>= 2.4.0, < 2.4.92.4.9
symfony/http-foundationcomposer>= 2.5.0, < 2.5.42.5.4
symfony/symfonycomposer>= 2.0.0, < 2.3.192.3.19
symfony/symfonycomposer>= 2.4.0, < 2.4.92.4.9
symfony/symfonycomposer>= 2.5.0, < 2.5.42.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems directly from Request::getHost()'s host validation implementation. Multiple sources confirm: 1) The advisory explicitly mentions this method as the attack vector 2) The patch modifies host validation regex in HttpFoundation 3) Commit 5506ee8 titled 'Fix potential DoS when parsing HOST' targets this functionality 4) CWE-1333 specifically describes regex inefficiency vulnerabilities. The function's role in parsing untrusted Host headers using a vulnerable regex makes it the clear entry point for this DoS attack.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll *.*.X, *.*.X, *.*.X, *.*.X, *.*.X, *n* *.*.X v*rsions o* t** Sym*ony *ttp*oun**tion *ompon*nt *r* *****t** *y t*is s**urity issu*. T*is issu* **s ***n *ix** in Sym*ony *.*.**, *.*.*, *n* *.*.*. Not* t**t no *ix*s *r* provi*** *or Sym*ony *.*, *.

Reasoning

T** vuln*r**ility st*ms *ir**tly *rom `R*qu*st::**t*ost()`'s *ost v*li**tion impl*m*nt*tion. Multipl* sour**s *on*irm: *) T** **visory *xpli*itly m*ntions t*is m*t*o* *s t** *tt**k v**tor *) T** p*t** mo*i*i*s *ost v*li**tion r***x in `*ttp*oun**tion