CVE-2015-2309: Symfony has unsafe methods in the Request class
5.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
-
CWE
Published
5/30/2024
Updated
5/30/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/http-foundation | composer | >= 2.0.0, < 2.3.27 | 2.3.27 |
| symfony/http-foundation | composer | >= 2.4.0, < 2.5.11 | 2.5.11 |
| symfony/http-foundation | composer | >= 2.6.0, < 2.6.6 | 2.6.6 |
| symfony/symfony | composer | >= 2.0.0, < 2.3.27 | 2.3.27 |
| symfony/symfony | composer | >= 2.4.0, < 2.5.11 | 2.5.11 |
| symfony/symfony | composer | >= 2.6.0, < 2.6.6 | 2.6.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from these methods trusting HTTP headers (X-Forwarded-* etc.) based solely on the presence of any configured trusted proxies, without verifying the actual remote address making the request. The commit diff shows they previously checked self::$trustedProxies existence but not whether the current REMOTE_ADDR was in that list. This allowed MITM attacks between the last trusted proxy and server. The patch introduced isFromTrustedProxy() to validate REMOTE_ADDR against trusted proxies before trusting headers.