NVD Vulnerability Detail

CVE-2013-4752

Summary	Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks.
Publication Date	Jan. 3, 2020, 2:15 a.m.
Registration Date	Jan. 26, 2021, 3:44 p.m.
Last Update	Nov. 21, 2024, 10:56 a.m.

CVSS3.1 : MEDIUM
スコア	6.1
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	要
影響の想定範囲(S)	変更あり
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし

CVSS2.0 : MEDIUM
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	はい

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:sensiolabs:symfony::::::::	2.3.0			2.3.3
cpe:2.3:a:sensiolabs:symfony::::::::	2.2.0			2.2.5
cpe:2.3:a:sensiolabs:symfony::::::::	2.1.0			2.1.12
cpe:2.3:a:sensiolabs:symfony::::::::	2.0.0			2.0.24

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:18:::::::*
cpe:2.3:o:fedoraproject:fedora:19:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html	Third Party Advisory
3	http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html	Third Party Advisory
4	http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html	Third Party Advisory
5	http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released	Patch Vendor Advisory
6	http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released	Patch Vendor Advisory
7	http://www.securityfocus.com/bid/61715	Third Party Advisory VDB Entry
8	http://www.securityfocus.com/bid/61715	Third Party Advisory VDB Entry
9	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752	Issue Tracking Patch Third Party Advisory
10	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752	Issue Tracking Patch Third Party Advisory
11	https://exchange.xforce.ibmcloud.com/vulnerabilities/86365	Third Party Advisory VDB Entry
12	https://exchange.xforce.ibmcloud.com/vulnerabilities/86365	Third Party Advisory VDB Entry
13	https://exchange.xforce.ibmcloud.com/vulnerabilities/86366	Third Party Advisory VDB Entry
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/86366	Third Party Advisory VDB Entry
15	https://exchange.xforce.ibmcloud.com/vulnerabilities/86367	Third Party Advisory VDB Entry
16	https://exchange.xforce.ibmcloud.com/vulnerabilities/86367	Third Party Advisory VDB Entry
17	https://exchange.xforce.ibmcloud.com/vulnerabilities/86368	Third Party Advisory VDB Entry
18	https://exchange.xforce.ibmcloud.com/vulnerabilities/86368	Third Party Advisory VDB Entry
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/86369	Third Party Advisory VDB Entry
20	https://exchange.xforce.ibmcloud.com/vulnerabilities/86369	Third Party Advisory VDB Entry
21	https://exchange.xforce.ibmcloud.com/vulnerabilities/86370	Third Party Advisory VDB Entry
22	https://exchange.xforce.ibmcloud.com/vulnerabilities/86370	Third Party Advisory VDB Entry
23	https://exchange.xforce.ibmcloud.com/vulnerabilities/86371	Third Party Advisory VDB Entry
24	https://exchange.xforce.ibmcloud.com/vulnerabilities/86371	Third Party Advisory VDB Entry
25	https://exchange.xforce.ibmcloud.com/vulnerabilities/86372	Third Party Advisory VDB Entry
26	https://exchange.xforce.ibmcloud.com/vulnerabilities/86372	Third Party Advisory VDB Entry
27	https://exchange.xforce.ibmcloud.com/vulnerabilities/86373	Third Party Advisory VDB Entry
28	https://exchange.xforce.ibmcloud.com/vulnerabilities/86373	Third Party Advisory VDB Entry
29	https://exchange.xforce.ibmcloud.com/vulnerabilities/86374	Third Party Advisory VDB Entry
30	https://exchange.xforce.ibmcloud.com/vulnerabilities/86374	Third Party Advisory VDB Entry

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

JVN Vulnerability Information

Symfony におけるクロスサイトスクリプティングの脆弱性

Title	Symfony におけるクロスサイトスクリプティングの脆弱性
Summary	Symfony には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Aug. 7, 2013, midnight
Registration Date	Jan. 27, 2020, 10:17 a.m.
Last Update	Jan. 27, 2020, 10:17 a.m.

Affected System

Fedora Project

Fedora

Sensio Labs

Symfony 2.0.24 未満の 2.0.X

Symfony 2.1.12 未満の 2.1.X

Symfony 2.2.5 未満の 2.2.X

Symfony 2.3.3 未満の 2.3.X

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-4752	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4752
National Vulnerability Database (NVD)
2	CVE-2013-4752	https://nvd.nist.gov/vuln/detail/CVE-2013-4752

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
Fedora Update Notification
1	FEDORA-2013-14579	https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html
2	FEDORA-2013-14608	https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html
Symfony
3	Security releases: Symfony 2.0.24, 2.1.12, 2.2.5, and 2.3.3 released	https://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released

その他

No	Name	URL
関連文書
1	Bug 995583 (CVE-2013-4752) - CVE-2013-4752 php-symfony2-HttpFoundation: Request::getHost() poisioning	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752

Change Log

No	Changed Details	Date of change
1	[2020年01月27日] 掲載	Jan. 27, 2020, 10:17 a.m.