Man-in-the-Middle (MitM) Affecting symfony/http-foundation package, versions >=2.0.0, <2.3.27 >=2.4.0, <2.5.11 >=2.6.0, <2.6.6
Snyk CVSS
Attack Complexity
Low
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-SYMFONYHTTPFOUNDATION-70180
- published 1 Apr 2015
- disclosed 1 Apr 2015
- credit Dmitrii Chekaliuk
Introduced: 1 Apr 2015
CVE-2015-2309 Open this link in a new tabHow to fix?
Upgrade symfony/http-foundation to version 2.3.27, 2.6.6, 2.5.11 or higher.
Overview
Affected versions of symfony/http-foundation are vulnerable to Man-in-the-Middle (MitM).
The Symfony\Component\HttpFoundation\Request class provides a mechanism that ensures it does not trust HTTP header values coming from a "non-trusted" client. Unfortunately, it assumes that the remote address is always a trusted client if at least one trusted proxy is involved in the request; this allows a man-in-the-middle attack between the latest trusted proxy and the web server.