ASA-2019-00229 – Symfony: Reject invalid HTTP method overrides

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00229

Identifier(s)

ASA-2019-00229, CVE-2019-10913

Title

Reject invalid HTTP method overrides

Vendor(s)

Sensio Labs

Product(s)

Symfony

Affected version(s)

Symfony 2.7.0 to 2.7.50
Symfony 2.8.0 to 2.8.49
Symfony 3.4.0 to 3.4.25
Symfony 4.1.0 to 4.1.11
Symfony 4.2.0 to 4.2.6

Fixed version(s)

Symfony 2.7.51
Symfony 2.8.50
Symfony 3.4.26
Symfony 4.1.12
Symfony 4.2.7

Proof of concept

Unknown

Description

HTTP methods, from either the HTTP method itself or using the X-Http-Method-Override header were previously returned as the method in question without validation being done on the string, meaning that they could be used in dangerous contexts when left unescaped.

Technical details

Unknown

Credits

Nicolas Grekas

Reference(s)

CVE-2019-10913: Reject invalid HTTP method overrides
https://symfony.com/blog/cve-2019-10913-reject-invalid-http-method-overrides

CVE-2019-10913
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10913

CVE-2019-10913
https://nvd.nist.gov/vuln/detail/CVE-2019-10913

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: April 27, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.