Vigil@nce - Symfony: two vulnerabilities
August 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of Symfony.
Impacted products: Fedora, Symfony
Severity: 2/4
Creation date: 08/08/2013
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in Symfony.
When Symfony\Component\Validator\Mapping\Cache\ApcCache is
enabled, the Validator component looses information, and objects
stored using the @Valid constraint are not traversed when they are
loaded from the cache. [severity:2/4; BID-61709, CVE-2013-4751]
The Request::getHost() function returns the HTTP Host header,
which can be spoofed, and may lead to various attacks. The
solution VIGILANCE-SOL-31059 (https://vigilance.fr/tree/2/31059?w=66901)
also has to be applied to fix this vulnerability. [severity:2/4;
BID-61715, CVE-2013-4752]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Symfony-two-vulnerabilities-13233