Symfony Host Header Injection vulnerability in the HttpFoundation component
Moderate severity
GitHub Reviewed
Published
May 5, 2022
to the GitHub Advisory Database
•
Updated Feb 8, 2024
Package
Affected versions
>= 2.0.0, < 2.0.24
>= 2.1.0, < 2.1.12
>= 2.2.0, < 2.2.5
>= 2.3.0, < 2.3.3
Patched versions
2.0.24
2.1.12
2.2.5
2.3.3
>= 2.0.0, < 2.0.24
>= 2.1.0, < 2.1.12
>= 2.2.0, < 2.2.5
>= 2.3.0, < 2.3.3
2.0.24
2.1.12
2.2.5
2.3.3
Description
Published by the National Vulnerability Database
Jan 2, 2020
Published to the GitHub Advisory Database
May 5, 2022
Reviewed
Aug 17, 2023
Last updated
Feb 8, 2024
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
References