Vulnerability Description
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sensiolabs | Symfony | 2.3.19 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
- http://symfony.com/blog/cve-2015-4050-esi-unauthorized-accessVendor Advisory
- http://www.debian.org/security/2015/dsa-3276
- http://www.securityfocus.com/bid/74928
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
- http://symfony.com/blog/cve-2015-4050-esi-unauthorized-accessVendor Advisory
- http://www.debian.org/security/2015/dsa-3276
- http://www.securityfocus.com/bid/74928
FAQ
What is CVE-2015-4050?
CVE-2015-4050 is a vulnerability with a CVSS score of 4.3 (MEDIUM). FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if t...
How severe is CVE-2015-4050?
CVE-2015-4050 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-4050?
Check the references section above for vendor advisories and patch information. Affected products include: Sensiolabs Symfony.