5.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-hx53-jchx-cr52

EPSS Score

CWE

CWE-291

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-hx53-jchx-cr52

GHSA-hx53-jchx-cr52: Symfony2 improper IP based access control

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp() method when the trust proxy mode is enabled (Request::trustProxyData()).

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();

// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();

// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

Patch for Symfony 2.0.19 Patch for Symfony 2.1.4

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-hx53-jchx-cr52

EPSS Score

CWE

CWE-291

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.0.0, < 2.0.19	2.0.19
symfony/symfony	composer	>= 2.1.0, < 2.1.4	2.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from using trustProxyData() which automatically trusts the immediate proxy (REMOTE_ADDR) without validation. When combined with getClientIp(), this allows attackers to spoof X-Forwarded-For headers if the application isn't behind a properly configured trusted proxy. The security patches replace trustProxyData() with setTrustedProxies() requiring explicit proxy IPs, confirming these functions' role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**mi*n Tournou*, *rom t** *rup*l s**urity t**m, *ont**t** us two **ys **o **out * s**urity issu* in t** R*qu*st::**t*li*ntIp() m*t*o* w**n t** trust proxy mo** is *n**l** (R*qu*st::trustProxy**t*()). *n *ppli**tion is vuln*r**l* i* it us*s t** *li*n

Reasoning

T** vuln*r**ility st*ms *rom usin* `trustProxy**t*()` w*i** *utom*ti**lly trusts t** imm**i*t* proxy (R*MOT*_***R) wit*out v*li**tion. W**n *om*in** wit* `**t*li*ntIp()`, t*is *llows *tt**k*rs to spoo* X-*orw*r***-*or *****rs i* t** *ppli**tion isn't

5.9

Basic Information

Concerned about an active attack path?

GHSA-hx53-jchx-cr52: Symfony2 improper IP based access control

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI