5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-2309

GHSA ID

GHSA-p684-f7fh-jv2j

EPSS Score

CWE

CWE-20

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2015-2309

CVE-2015-2309: Symfony has unsafe methods in the Request class

All 2.0.X, 2.1.X, 2.2.X, 2.3.X, 2.4.X, 2.5.X, and 2.6.X versions of the Symfony HttpFoundation component are affected by this security issue.

This issue has been fixed in Symfony 2.3.27, 2.5.11, and 2.6.6. Note that no fixes are provided for Symfony 2.0, 2.1, 2.2, and 2.4 as they are not maintained anymore.

Description

The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server.

The following methods are impacted: getPort(), isSecure(), and getHost(), and getClientIps().

Resolution

All impacted methods now check that the remote address is trusted, which fixes the issue.

The patch for this issue is available here.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2015-2309

GHSA ID

GHSA-p684-f7fh-jv2j

EPSS Score

CWE

CWE-20

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/http-foundation	composer	>= 2.0.0, < 2.3.27	2.3.27
symfony/http-foundation	composer	>= 2.4.0, < 2.5.11	2.5.11
symfony/http-foundation	composer	>= 2.6.0, < 2.6.6	2.6.6
symfony/symfony	composer	>= 2.0.0, < 2.3.27	2.3.27
symfony/symfony	composer	>= 2.4.0, < 2.5.11	2.5.11
symfony/symfony	composer	>= 2.6.0, < 2.6.6	2.6.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from these methods trusting HTTP headers (X-Forwarded-* etc.) based solely on the presence of any configured trusted proxies, without verifying the actual remote address making the request. The commit diff shows they previously checked self::$trustedProxies existence but not whether the current REMOTE_ADDR was in that list. This allowed MITM attacks between the last trusted proxy and server. The patch introduced isFromTrustedProxy() to validate REMOTE_ADDR against trusted proxies before trusting headers.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll *.*.X, *.*.X, *.*.X, *.*.X, *.*.X, *.*.X, *n* *.*.X v*rsions o* t** Sym*ony *ttp*oun**tion *ompon*nt *r* *****t** *y t*is s**urity issu*. T*is issu* **s ***n *ix** in Sym*ony *.*.**, *.*.**, *n* *.*.*. Not* t**t no *ix*s *r* provi*** *or Sym*ony

Reasoning

T** vuln*r**ility st*ms *rom t**s* m*t*o*s trustin* *TTP *****rs (X-*orw*r***-* *t*.) **s** sol*ly on t** pr*s*n** o* *ny *on*i*ur** trust** proxi*s, wit*out v*ri*yin* t** **tu*l r*mot* ***r*ss m*kin* t** r*qu*st. T** *ommit *i** s*ows t**y pr*viousl

5.3

Basic Information

Concerned about an active attack path?

CVE-2015-2309: Symfony has unsafe methods in the Request class

Description

Resolution

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI