CVE-2020-5255 : In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a

In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.

Published 2020-03-30 20:15:20

Updated 2020-04-09 17:15:13

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Input validation

Products affected by CVE-2020-5255

Sensiolabs » Symfony
Versions from including (>=) 4.4.0 and before (<) 4.4.7
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 5.0.0 and before (<) 5.0.7
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-5255

EPSS FAQ

0.37%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 56 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-5255

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.0	MEDIUM	AV:N/AC:L/Au:S/C:N/I:N/A:P	8.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L	2.8	1.4	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low
2.6	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L	1.2	1.4	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2020-5255

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)
CWE-435 Improper Interaction Between Multiple Correctly-Behaving Entities

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger system or process, they introduce incorrect behaviors that may cause resultant weaknesses.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2020-5255

https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header

CVE-2020-5255: Prevent cache poisoning via a Response Content-Type header (Symfony Blog)
Third Party Advisory
https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6

security #cve-2020-5255 [HttpFoundation] Do not set the default Conte… · symfony/symfony@dca3434 · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/

[SECURITY] Fedora 32 Update: php-symfony4-4.4.7-1.fc32 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859

Prevent cache poisoning via a Response Content-Type header · Advisory · symfony/symfony · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-5255

Products affected by CVE-2020-5255

Exploit prediction scoring system (EPSS) score for CVE-2020-5255

CVSS scores for CVE-2020-5255

CWE ids for CVE-2020-5255

References for CVE-2020-5255