NVD Vulnerability Detail

CVE-2020-15094

Summary	In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.
Publication Date	Sept. 3, 2020, 3:15 a.m.
Registration Date	Jan. 26, 2021, 11:53 a.m.
Last Update	Nov. 21, 2024, 2:04 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78	Patch Third Party Advisory
2	https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78	Patch Third Party Advisory
3	https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r	Third Party Advisory
4	https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r	Third Party Advisory
5	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3/
7	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC/
9	https://packagist.org/packages/symfony/http-kernel	Product Third Party Advisory
10	https://packagist.org/packages/symfony/http-kernel	Product Third Party Advisory
11	https://packagist.org/packages/symfony/symfony	Product Third Party Advisory
12	https://packagist.org/packages/symfony/symfony	Product Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Symfony における保存または転送前の重要な情報の削除に関する脆弱性

Title	Symfony における保存または転送前の重要な情報の削除に関する脆弱性
Summary	Symfony には、保存または転送前の重要な情報の削除に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 2, 2020, midnight
Registration Date	Feb. 10, 2021, 12:01 p.m.
Last Update	Feb. 10, 2021, 12:01 p.m.

Affected System

Sensio Labs

HTTP Client

Symfony 4.4.13 未満

Symfony 5.1.5 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-15094	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15094
National Vulnerability Database (NVD)
2	CVE-2020-15094	https://nvd.nist.gov/vuln/detail/CVE-2020-15094

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-212	https://cwe.mitre.org/data/definitions/212.html

ベンダー情報

No	Name	URL
GitHub
1	Prevent RCE when calling untrusted remote with CachingHttpClient	https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r
2	security #cve-2020-15094 Remove headers with internal meaning from HttpClient responses (mpdude)	https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78
Packagist
3	Symfony HttpKernel Component	https://packagist.org/packages/symfony/http-kernel
4	The Symfony PHP framework	https://packagist.org/packages/symfony/symfony

Change Log

No	Changed Details	Date of change
1	[2021年02月10日] 掲載	Feb. 10, 2021, 12:01 p.m.