Vulnerability Details : CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.
Vulnerability category: Execute code
Exploit prediction scoring system (EPSS) score for CVE-2020-15094
Probability of exploitation activity in the next 30 days: 0.71%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 78 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2020-15094
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
|
8.0
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
1.3
|
6.0
|
GitHub, Inc. |
CWE ids for CVE-2020-15094
-
The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors.Assigned by: security-advisories@github.com (Primary)
References for CVE-2020-15094
-
https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r
Prevent RCE when calling untrusted remote with CachingHttpClient · Advisory · symfony/symfony · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/
[SECURITY] Fedora 33 Update: php-symfony4-4.4.13-1.fc33 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://packagist.org/packages/symfony/symfony
symfony/symfony - PackagistProduct;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/
[SECURITY] Fedora 32 Update: php-symfony4-4.4.13-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://packagist.org/packages/symfony/http-kernel
symfony/http-kernel - PackagistProduct;Third Party Advisory
-
https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78
security #cve-2020-15094 Remove headers with internal meaning from Ht… · symfony/symfony@d9910e0 · GitHubPatch;Third Party Advisory
Products affected by CVE-2020-15094
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:httpclient:*:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:httpclient:*:*:*:*:*:*:*:*