CVE-2018-14774
Symfony Host Header Injection
7.2
HIGH
CVSS 3.1
EPSS 0.17%
Description
An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection.
How to fix CVE-2018-14774
To remediate CVE-2018-14774, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.14+dfsg-1 or later
- —upgrade to 2.7.49 or later
Is CVE-2018-14774 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.4.14+dfsg-1
- >= 2.7.0, < 2.7.49
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.2 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |