CVE-2015-4050 - Medium Severity Vulnerability
Vulnerable Library - symfony/http-kernel-v3.1.9
The HttpKernel component provides a structured process for converting a Request into a Response.
Dependency Hierarchy:
- laravel/framework-v5.3.29 (Root Library)
- ❌ symfony/http-kernel-v3.1.9 (Vulnerable Library)
Vulnerability Details
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
Publish Date: 2015-06-02
URL: CVE-2015-4050
CVSS 2 Score Details (4.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4050
Release Date: 2015-06-02
Fix Resolution: v2.3.29,v2.5.12,v2.6.8
Step up your Open Source Security Game with WhiteSource here
CVE-2015-4050 - Medium Severity Vulnerability
The HttpKernel component provides a structured process for converting a Request into a Response.
Dependency Hierarchy:
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
Publish Date: 2015-06-02
URL: CVE-2015-4050
Base Score Metrics not available
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4050
Release Date: 2015-06-02
Fix Resolution: v2.3.29,v2.5.12,v2.6.8
Step up your Open Source Security Game with WhiteSource here