CVE-2021-41267

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-41267
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41267.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-41267
Aliases
Related
Published
2021-11-24T19:15:07.737Z
Modified
2026-02-24T11:41:23.227036Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
Summary
[none]
Details

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trustedheaders" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the "trustedheaders" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the X-Forwarded-Prefix header is not forwarded to subrequests when it is not trusted.

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
8b51547061b29081803eb9fdf9b02cf80a1e1a74
Fixed
256c34a45b79fdc6276a8c941a1656713ee1ffec

Affected versions

v3.*
v3.4.48
v4.*
v4.4.18
v4.4.19
v4.4.20
v4.4.21
v4.4.22
v4.4.23
v4.4.24
v4.4.25
v4.4.26
v4.4.27
v4.4.28
v4.4.29
v4.4.30
v4.4.31
v4.4.32
v4.4.33
v4.4.34
v5.*
v5.1.10
v5.2.0
v5.2.1
v5.2.10
v5.2.11
v5.2.12
v5.2.13
v5.2.14
v5.2.2
v5.2.3
v5.2.4
v5.2.5
v5.2.6
v5.2.7
v5.2.8
v5.2.9
v5.3.0
v5.3.0-BETA1
v5.3.0-BETA2
v5.3.0-BETA3
v5.3.0-BETA4
v5.3.0-RC1
v5.3.1
v5.3.10
v5.3.11
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.3.6
v5.3.7
v5.3.8
v5.3.9

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41267.json"