CVE-2020-5255

Description

In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.

How to fix CVE-2020-5255

To remediate CVE-2020-5255, upgrade the affected package to a fixed version below.

• —upgrade to 4.4.7 or later
• —upgrade to 4.4.8-1 or later
• —upgrade to 4.4.7 or later
• —upgrade to 4.4.7 or later

Is CVE-2020-5255 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 4.4.0, < 4.4.7, >= 5.0.0, < 5.0.7
• from 0, < 4.4.8-1
• >= 4.4.0, < 4.4.7
• >= 4.4.0, < 4.4.7

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-5255
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-5255
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2020-5255.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5255.yaml