CVE-2014-4931

Description

When investigating issue [#11093](https://github.com/symfony/symfony/issues/11093), [Jeremy Derussé](https://connect.sensiolabs.com/profile/jderusse) found a serious code injection issue in the way Symfony implements translation caching in FrameworkBundle. - Your Symfony application is vulnerable if you meet the following conditions: - You are using the Symfony translation system from FrameworkBundle (so basically if you are using Symfony full-stack -- you are not affected if you are using the Translation component with Silex for instance); You don't sanitize locales coming from a URL (any route with a _locale argument for instance): When vulnerable, an attacker can submit a non-valid locale value that can contain some PHP code that will be executed by Symfony. That's because the locale value is dumped into a PHP file generated in the cache without being sanitized first.

How to fix CVE-2014-4931

To remediate CVE-2014-4931, upgrade the affected package to a fixed version below.

• —upgrade to 2.3.18 or later
• —upgrade to 2.3.19 or later

Is CVE-2014-4931 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2014-4931.

Affected packages (2)

• >= 2.0.0, < 2.3.18
• >= 2.0.0, < 2.3.19

CVSS scores

References (4)

• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/framework-bundle/CVE-2014-4931.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2014-4931.yaml
• WEBgithub.com/symfony/symfony/commit/06a80fbdbe744ad6f3010479ba64ef5cf35dd9af.patch
• WEB