CVE-2018-14773
CVE-2018-14773 is a medium-severity vulnerability in Sensiolabs Symfony with a CVSS 3.x base score of 6.5. Its EPSS exploit-prediction score of 58% places it in the 99th percentile, indicating an elevated likelihood of exploitation.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v2: 4.0
- EPSS exploit prediction: 58% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- Affected product: Sensiolabs Symfony
- Published:
- Last modified:
Description
An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
Frequently asked questions
- What is CVE-2018-14773?
- An issue was discovered in Http Foundation in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. It arises from support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header. These headers are designed for IIS support, but it's not verified that the server is in fact running IIS, which means anybody who can send these requests to an application can trigger this. This affects \Symfony\Component\HttpFoundation\Request::prepareRequestUri() where X-Original-URL and X_REWRITE_URL are both used. The fix drops support for these methods so that they cannot be used as attack vectors such as web cache poisoning.
- How severe is CVE-2018-14773?
- CVE-2018-14773 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is none, integrity high, and availability none.
- Is CVE-2018-14773 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 58% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2018-14773?
- CVE-2018-14773 primarily affects Sensiolabs Symfony. In total, 4 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2018-14773?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2018-14773 published?
- CVE-2018-14773 was published on 2018-08-03 and last updated on 2026-06-17.
References
- http://www.securityfocus.com/bid/104943
- http://www.securitytracker.com/id/1041405
- https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b
- https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
- https://seclists.org/bugtraq/2019/May/21
- https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers
- https://www.debian.org/security/2019/dsa-4441
- https://www.drupal.org/SA-CORE-2018-005
Affected products (4)
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:drupal:drupal:*:*:*:*:*:*:*:*
More vulnerabilities in Sensiolabs Symfony
- CVE-2019-18889 — Critical (CVSS 9.8): An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing…
- CVE-2019-11325 — Critical (CVSS 9.8): An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes…
- CVE-2017-11365 — Critical (CVSS 9.8): Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and…
- CVE-2019-10913 — Critical (CVSS 9.8): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP…
- CVE-2019-10910 — Critical (CVSS 9.8): In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when…
- CVE-2018-11407 — Critical (CVSS 9.8): An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7,…