Skip to content

Prevent cache poisoning via a Response Content-Type header in Symfony

Low severity GitHub Reviewed Published Mar 30, 2020 in symfony/symfony • Updated Aug 13, 2022

Package

composer symfony/http-foundation (Composer)

Affected versions

>= 4.4.0, < 4.4.7
>= 5.0.0, < 5.0.7

Patched versions

4.4.7
5.0.7

Description

Description

When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.

Resolution

Symfony does not use the Accept header anymore to guess the Content-Type.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

References

@nicolas-grekas nicolas-grekas published the maintainer security advisory Mar 30, 2020

Severity

Low
2.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:L

Weaknesses

CVE ID

CVE-2020-5255

GHSA ID

GHSA-mcx4-f5f5-4859

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.