N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-vfm6-r2gc-pwww

EPSS Score

CWE

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-vfm6-r2gc-pwww

GHSA-vfm6-r2gc-pwww: Symfony2 security issue when the trust proxy mode is enabled

An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp() method for sensitive decisions like IP based access control.

To fix this security issue, the following changes have been made to all versions of Symfony2:

A new Request::setTrustedProxies() method has been introduced and should be used intead of Request::trustProxyData() to enable the trust proxy mode. It takes an array of trusted proxy IP addresses as its argument:

// before (probably in your front controller script)
Request::trustProxyData();

// after
Request::setTrustedProxies(array('1.1.1.1'));
// 1.1.1.1 being the IP address of a trusted reverse proxy

The Request::trustProxyData() method has been deprecated (when used, it automatically trusts the latest proxy in the chain -- which is the current remote address):

Request::trustProxyData();

// is equivalent to
Request::setTrustedProxies(array($request->server->get('REMOTE_ADDR')));

We encourage all Symfony2 users to upgrade as soon as possible. It you don't want to upgrade to the latest version yet, you can also apply the following patches:

Patch for Symfony 2.0.19
Patch for Symfony 2.1.4

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-vfm6-r2gc-pwww

EPSS Score

CWE

Published

5/30/2024

Updated

5/30/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/http-foundation	composer	>= 2.0.0, < 2.0.19	2.0.19
symfony/http-foundation	composer	>= 2.1.0, < 2.1.4	2.1.4
symfony/symfony	composer	>= 2.0.0, < 2.0.19	2.0.19
symfony/symfony	composer	>= 2.1.0, < 2.1.4	2.1.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key functions: 1) trustProxyData() enables proxy trust without proper IP validation, creating an insecure default configuration. 2) getClientIp() relies on this insecure configuration to return client IPs from untrusted headers. Together, they allow IP spoofing when the application is behind a reverse proxy. The deprecated trustProxyData() method is particularly critical as it automatically trusts the immediate proxy (REMOTE_ADDR), while getClientIp() becomes dangerous when used with this configuration for security decisions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *ppli**tion is vuln*r**l* i* it us*s t** *li*nt IP ***r*ss *s r*turn** *y t** R*qu*st::**t*li*ntIp() m*t*o* *or s*nsitiv* ***isions lik* IP **s** ****ss *ontrol. To *ix t*is s**urity issu*, t** *ollowin* ***n**s **v* ***n m*** to *ll v*rsions o*

Reasoning

T** vuln*r**ility st*ms *rom two k*y *un*tions: *) `trustProxy**t*()` *n**l*s proxy trust wit*out prop*r IP v*li**tion, *r**tin* *n ins**ur* ****ult `*on*i*ur*tion`. *) `**t*li*ntIp()` r*li*s on t*is ins**ur* `*on*i*ur*tion` to r*turn *li*nt IPs *rom

N/A

Basic Information

Concerned about an active attack path?

GHSA-vfm6-r2gc-pwww: Symfony2 security issue when the trust proxy mode is enabled

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI