5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-hx53-jchx-cr52

EPSS Score

CWE

CWE-291

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hx53-jchx-cr52

GHSA-hx53-jchx-cr52: Symfony2 improper IP based access control

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();

// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();

// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

Patch for Symfony 2.0.19 Patch for Symfony 2.1.4

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-hx53-jchx-cr52

GHSA-hx53-jchx-cr52:

5.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-hx53-jchx-cr52

EPSS Score

CWE

CWE-291

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.0.0, < 2.0.19	2.0.19
symfony/symfony	composer	>= 2.1.0, < 2.1.4	2.1.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using trustProxyData() which automatically trusts the immediate proxy (REMOTE_ADDR) without validation. When combined with getClientIp(), this allows attackers to spoof X-Forwarded-For headers if the application isn't behind a properly configured trusted proxy. The security patches replace trustProxyData() with setTrustedProxies() requiring explicit proxy IPs, confirming these functions' role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.9

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-hx53-jchx-cr52: Symfony2 improper IP based access control

GHSA-hx53-jchx-cr52:

5.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

5.9

5.9

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

GHSA-hx53-jchx-cr52: Symfony2 improper IP based access control

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI