Patch/Configuration Management, Vulnerability Management

Drupal patches vulnerability in Symfony library


Drupal issued an update to patch a vulnerability in its Symfony library that if exploited would give an attacker to gain access to higher level caches and web servers.

The issue, CVE-2018-14773, effects many Symfony versions, 2.7.0 to 2.7.48, 2.8.0 to 2.8.43, 3.3.0 to 3.3.17, 3.4.0 to 3.4.13, 4.0.0 to 4.0.13 and 4.1.0 to 4.1.2 versions of the Symfony HttpFoundation component. This issue is resolved by updating to 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3.

The vulnerability involves “support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers,” Drupal stated.

Essentially, the update drops support for the obsolete headers.

Drupal also noted that the same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; but the problem is moot because Drupal core does not use the vulnerable functionality.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.