The Symfony PHP framework has a vulnerability in versions before 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3. Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers. The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL. External Reference: https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers Upstream Patch: https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b
Created php-symfony tracking bugs for this issue: Affects: epel-all [bug 1611910] Affects: fedora-all [bug 1611907] Created php-symfony3 tracking bugs for this issue: Affects: fedora-all [bug 1611909] Created php-symfony4 tracking bugs for this issue: Affects: fedora-all [bug 1611908]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.