Drupal issued an update to patch a vulnerability in its Symfony library that if exploited would give an attacker to gain access to higher level caches and web servers.

The issue, CVE-2018-14773, effects many Symfony versions, 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 versions of the Symfony HttpFoundation component. This issue is resolved by updating to 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

The vulnerability involves “support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers,” Drupal stated.

Essentially, the update drops support for the obsolete headers.

Drupal also noted that the same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; but the problem is moot because Drupal core does not use the vulnerable functionality.