Vulnerability Name:

CVE-2013-4752 (CCN-86365)

Assigned:2013-08-07
Published:2013-08-07
Updated:2020-01-10
Summary:Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
CVSS v3 Severity:6.1 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
2.6 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
3.5 Low (CCN CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-79
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2013-4752

Source: MISC
Type: Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html

Source: MISC
Type: Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html

Source: CCN
Type: SA54329
Symfony HOST HTTP Header Spoofing and Validation Bypass Vulnerabilities

Source: CCN
Type: Symfony Web site
High Performance PHP Framework for Web Development - Symfony

Source: CCN
Type: Symfony Blog, August 07, 2013
Fabien Potencier Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released

Source: CONFIRM
Type: Patch, Vendor Advisory
http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released

Source: CCN
Type: BID-61715
Symfony CVE-2013-4752 HTTP Header Spoofing Security Bypass Vulnerability

Source: MISC
Type: Third Party Advisory, VDB Entry
http://www.securityfocus.com/bid/61715

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86365

Source: XF
Type: UNKNOWN
symfony-cve20134752-spoofing(86365)

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86366

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86367

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86368

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86369

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86370

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86371

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86372

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86373

Source: MISC
Type: Third Party Advisory, VDB Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/86374

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.0.0 and < 2.0.24)
  • OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.1.0 and < 2.1.12)
  • OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.2.0 and < 2.2.5)
  • OR cpe:/a:sensiolabs:symfony:*:*:*:*:*:*:*:* (Version >= 2.3.0 and < 2.3.3)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:18:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:19:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sensiolabs:symfony:2.0.23:*:*:*:*:*:*:*
  • OR cpe:/a:sensiolabs:symfony:2.1.11:*:*:*:*:*:*:*
  • OR cpe:/a:sensiolabs:symfony:2.2.4:*:*:*:*:*:*:*
  • OR cpe:/a:sensiolabs:symfony:2.3.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sensiolabs symfony *
    sensiolabs symfony *
    sensiolabs symfony *
    sensiolabs symfony *
    fedoraproject fedora 18
    fedoraproject fedora 19
    sensiolabs symfony 2.0.23
    sensiolabs symfony 2.1.11
    sensiolabs symfony 2.2.4
    sensiolabs symfony 2.3.2