2324258 – (CVE-2024-50342) CVE-2024-50342 php-symfony-http-client: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client

Bug 2324258 (CVE-2024-50342) - CVE-2024-50342 php-symfony-http-client: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client

Summary: CVE-2024-50342 php-symfony-http-client: Internal address and port enumeration...

Keywords:
Status:	NEW
Alias:	CVE-2024-50342
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2324261
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-06 22:01 UTC by OSIDB Bzimport
Modified:	2024-11-06 22:14 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-11-06 22:01:19 UTC

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.