CVE-2015-4050
symfony - security update
EPSS 76.2%
Description
FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment.
How to fix CVE-2015-4050
To remediate CVE-2015-4050, upgrade the affected package to a fixed version below.
- Debian/symfony—upgrade to 2.7.0~beta2+dfsg-2 or later
- Debian/symfony—upgrade to 2.3.21+dfsg-4+deb8u1 or later
- —upgrade to 2.3.29 or later
- —upgrade to 2.3.29 or later
Is CVE-2015-4050 being exploited?
Likely — EPSS is 76.2%, placing CVE-2015-4050 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (4)
- from 0, < 2.7.0~beta2+dfsg-2
- from 0, < 2.3.21+dfsg-4+deb8u1
- >= 2.3.19, < 2.3.29
- >= 2.3.19, < 2.3.29