Git Product home page Git Product logo

befriending-service-with-symfony's Introduction

Vonage

Building a Befriending Service with Symfony

With the current global situation, most countries are in some form of lockdown. Social distancing is critical right now to reduce the impact of Covid-19. But sadly, at the same time, those people who don't have a large pool of people to call during their days trapped indoors. At Vonage, we have regular opportunities to build something for our learning. In this opportunity, I chose to create a befriending service, which would introduce users that are vulnerable, lonely or want a different person to talk to daily. The idea behind this is to enable people to make new friends while in lockdown, or at any time.

The master branch is the starting branch for the accompanying post at: Blog post url here

Table of Contents

Prerequisites

Getting Started

Clone the Repository

Run the following two commands to clone this repository and change directory into the repository directory.

git clone [email protected]:nexmo-community/befriending-service-with-symfony.git
cd befriending-service-with-symfony

Database Credentials

Within the project/ directory create a .env.local file, which will be where you store your local environment variables you don't wish to be committed to your repository. For example, your database connection settings. Copy the following line into your .env.local file:

DATABASE_URL=mysql://user:password@mysql:3306/befriending?serverVersion=8.0.17&charset=utf8

Run Docker

Within the docker/ directory run: docker-compose up -d.

Once completed should be shown the confirmation that the three containers are running.

Install Third Party Libraries

Several third party libraries already defined and need to be installed, via Composer.

Run the following command inside the docker/ directory:

docker-compose exec php composer install

Test Run the Application

Go to: http://localhost:8081/ in your browser, you should be greeted with Symfony's default template.

If you're at this point, you're all set up and ready for this tutorial.

Code of Conduct

In the interest of fostering an open and welcoming environment, we strive to make participation in our project and our community a harassment-free experience for everyone. Please check out our Code of Conduct in full.

Contributing

We ❤️ contributions from everyone! Check out the Contributing Guidelines for more information.

contributions welcome

License

This project is subject to the MIT License

befriending-service-with-symfony's People

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

project-healthmatch

befriending-service-with-symfony's Issues

symfony/translation-v5.0.8: 3 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - symfony/translation-v5.0.8

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/translation-v5.0.8 version) Remediation Possible**
CVE-2022-24894 High 8.8 symfony/http-kernel-v5.0.8 Transitive N/A*
CVE-2020-15094 High 8.8 symfony/http-kernel-v5.0.8 Transitive N/A*
CVE-2021-41267 Medium 6.5 symfony/http-kernel-v5.0.8 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24894

Vulnerable Library - symfony/http-kernel-v5.0.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3565e51eecd06106304baba5ccb7ba89db2d7d2b

Dependency Hierarchy:

  • symfony/translation-v5.0.8 (Root Library)
    • symfony/http-kernel-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the AbstractSessionListener, the response might contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.

Publish Date: 2023-02-03

URL: CVE-2022-24894

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://symfony.com/blog/cve-2022-24894-prevent-storing-cookie-headers-in-httpcache

Release Date: 2022-02-11

Fix Resolution: v4.4.50, v5.4.20, v6.0.20, v6.1.12, v6.2.6

CVE-2020-15094

Vulnerable Library - symfony/http-kernel-v5.0.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3565e51eecd06106304baba5ccb7ba89db2d7d2b

Dependency Hierarchy:

  • symfony/translation-v5.0.8 (Root Library)
    • symfony/http-kernel-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Publish Date: 2020-09-02

URL: CVE-2020-15094

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-754h-5r27-7x3r

Release Date: 2020-09-02

Fix Resolution: 4.4.13,5.1.5

CVE-2021-41267

Vulnerable Library - symfony/http-kernel-v5.0.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3565e51eecd06106304baba5ccb7ba89db2d7d2b

Dependency Hierarchy:

  • symfony/translation-v5.0.8 (Root Library)
    • symfony/http-kernel-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the X-Forwarded-Prefix header is not forwarded to subrequests when it is not trusted.

Publish Date: 2021-11-24

URL: CVE-2021-41267

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q3j3-w37x-hq2q

Release Date: 2021-11-24

Fix Resolution: v5.3.12

symfony/security-bundle-v5.0.8: 3 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - symfony/security-bundle-v5.0.8

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/security-bundle-v5.0.8 version) Remediation Possible**
CVE-2022-24895 High 8.8 symfony/security-http-v5.0.8 Transitive N/A*
CVE-2021-41270 Medium 6.5 symfony/serializer-v5.0.8 Transitive N/A*
CVE-2021-21424 Medium 5.3 symfony/security-guard-v5.0.8 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-24895

Vulnerable Library - symfony/security-http-v5.0.8

Symfony Security Component - HTTP Integration

Library home page: https://api.github.com/repos/symfony/security-http/zipball/052d81213d007c07e61c9c4407cfd34e67b9ed17

Dependency Hierarchy:

  • symfony/security-bundle-v5.0.8 (Root Library)
    • symfony/security-http-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

Publish Date: 2023-02-03

URL: CVE-2022-24895

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://symfony.com/blog/cve-2022-24895-csrf-token-fixation

Release Date: 2022-02-11

Fix Resolution: v4.4.50, v5.4.20, v6.0.20, v6.1.12, v6.2.6

CVE-2021-41270

Vulnerable Library - symfony/serializer-v5.0.8

Symfony Serializer Component

Library home page: https://api.github.com/repos/symfony/serializer/zipball/aa5d99bb179b5166cfe15d79dc067f516f3f4343

Dependency Hierarchy:

  • symfony/security-bundle-v5.0.8 (Root Library)
    • symfony/serializer-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in csv_escape_formulas option in the CsvEncoder, to prefix all cells starting with =, +, - or @ with a tab \t. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote ' to prefix formulas and add the prefix to cells starting by \t, \r as well as =, +, - and @.

Publish Date: 2021-11-24

URL: CVE-2021-41270

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xhg-w2g5-w95x

Release Date: 2021-11-24

Fix Resolution: v4.4.35,v5.3.12

CVE-2021-21424

Vulnerable Library - symfony/security-guard-v5.0.8

Symfony Security Component - Guard

Library home page: https://api.github.com/repos/symfony/security-guard/zipball/9e9ebbd005ca5af051e57a47d46394357cdff1d8

Dependency Hierarchy:

  • symfony/security-bundle-v5.0.8 (Root Library)
    • symfony/security-guard-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

Publish Date: 2021-05-13

URL: CVE-2021-21424

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5pv8-ppvj-4h68

Release Date: 2021-05-13

Fix Resolution: v3.4.48,v4.4.23,v5.2.8

symfony/framework-bundle-v5.0.8: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - symfony/framework-bundle-v5.0.8

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-41270 Medium 6.5 symfony/serializer-v5.0.8 Transitive N/A

Details

CVE-2021-41270

Vulnerable Library - symfony/serializer-v5.0.8

Symfony Serializer Component

Library home page: https://api.github.com/repos/symfony/serializer/zipball/aa5d99bb179b5166cfe15d79dc067f516f3f4343

Dependency Hierarchy:

  • symfony/framework-bundle-v5.0.8 (Root Library)
    • symfony/serializer-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in csv_escape_formulas option in the CsvEncoder, to prefix all cells starting with =, +, - or @ with a tab \t. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab \t) part of the vulnerable characters, and OWASP suggests using the single quote ' for prefixing the value. Starting with versions 4.4.34 and 5.3.12, Symfony now follows the OWASP recommendations and uses the single quote ' to prefix formulas and add the prefix to cells starting by \t, \r as well as =, +, - and @.

Publish Date: 2021-11-24

URL: CVE-2021-41270

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xhg-w2g5-w95x

Release Date: 2021-11-24

Fix Resolution: v4.4.35,v5.3.12

symfony/form-v5.0.8: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - symfony/form-v5.0.8

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/form-v5.0.8 version) Remediation Possible**
CVE-2021-21424 Medium 5.3 symfony/security-core-v5.0.8 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-21424

Vulnerable Library - symfony/security-core-v5.0.8

Symfony Security Component - Core Library

Library home page: https://api.github.com/repos/symfony/security-core/zipball/5945abf1e64df5fdfb6aae9753c04f130fe96010

Dependency Hierarchy:

  • symfony/form-v5.0.8 (Root Library)
    • symfony/security-csrf-v5.0.8
      • symfony/security-core-v5.0.8 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

Publish Date: 2021-05-13

URL: CVE-2021-21424

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5pv8-ppvj-4h68

Release Date: 2021-05-13

Fix Resolution: v3.4.48,v4.4.23,v5.2.8

symfony/maker-bundle-v1.17.0: 3 vulnerabilities (highest severity is: 8.8) - autoclosed

Vulnerable Library - symfony/maker-bundle-v1.17.0

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-15094 High 8.8 symfony/http-kernel-v5.0.8 Transitive N/A
CVE-2021-41267 Medium 6.5 symfony/http-kernel-v5.0.8 Transitive N/A
CVE-2021-21424 Medium 5.3 symfony/security-core-v5.0.8 Transitive N/A

Details

CVE-2020-15094

Vulnerable Library - symfony/http-kernel-v5.0.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3565e51eecd06106304baba5ccb7ba89db2d7d2b

Dependency Hierarchy:

  • symfony/maker-bundle-v1.17.0 (Root Library)
    • symfony/http-kernel-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Publish Date: 2020-09-02

URL: CVE-2020-15094

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-754h-5r27-7x3r

Release Date: 2020-09-25

Fix Resolution: 4.4.13,5.1.5

CVE-2021-41267

Vulnerable Library - symfony/http-kernel-v5.0.8

Symfony HttpKernel Component

Library home page: https://api.github.com/repos/symfony/http-kernel/zipball/3565e51eecd06106304baba5ccb7ba89db2d7d2b

Dependency Hierarchy:

  • symfony/maker-bundle-v1.17.0 (Root Library)
    • symfony/http-kernel-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the X-Forwarded-Prefix headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a X-Forwarded-Prefix header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the X-Forwarded-Prefix header is not forwarded to subrequests when it is not trusted.

Publish Date: 2021-11-24

URL: CVE-2021-41267

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q3j3-w37x-hq2q

Release Date: 2021-11-24

Fix Resolution: v5.3.12

CVE-2021-21424

Vulnerable Library - symfony/security-core-v5.0.8

Symfony Security Component - Core Library

Library home page: https://api.github.com/repos/symfony/security-core/zipball/5945abf1e64df5fdfb6aae9753c04f130fe96010

Dependency Hierarchy:

  • symfony/maker-bundle-v1.17.0 (Root Library)
    • symfony/security-core-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

Publish Date: 2021-05-13

URL: CVE-2021-21424

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5pv8-ppvj-4h68

Release Date: 2021-05-13

Fix Resolution: v3.4.48,v4.4.23,v5.2.8

symfony/twig-pack-v1.0.0: 1 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - symfony/twig-pack-v1.0.0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/twig-pack-v1.0.0 version) Remediation Possible**
CVE-2023-46734 Medium 6.1 symfony/twig-bridge-v5.0.8 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-46734

Vulnerable Library - symfony/twig-bridge-v5.0.8

Symfony Twig Bridge

Library home page: https://api.github.com/repos/symfony/twig-bridge/zipball/5962eb3be6591cc985f32be1632e7b096d0979e3

Dependency Hierarchy:

  • symfony/twig-pack-v1.0.0 (Root Library)
    • symfony/twig-bundle-v5.0.8
      • symfony/twig-bridge-v5.0.8 (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use is_safe=html but don't actually ensure their input is safe. As of versions 4.4.51, 5.4.31, and 6.3.8, Symfony now escapes the output of the affected filters.

Publish Date: 2023-11-10

URL: CVE-2023-46734

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-46734

Release Date: 2023-11-10

Fix Resolution: v4.4.51,v5.4.31,v6.3.8

symfony/http-client-v5.0.8: 1 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - symfony/http-client-v5.0.8

Symfony HttpClient component

Library home page: https://api.github.com/repos/symfony/http-client/zipball/93b41572fbb3b8dd11d4f6f0434bbbbacd8619ab

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/http-client-v5.0.8 version) Remediation Possible**
CVE-2020-15094 High 8.8 symfony/http-client-v5.0.8 Direct 4.4.13,5.1.5

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-15094

Vulnerable Library - symfony/http-client-v5.0.8

Symfony HttpClient component

Library home page: https://api.github.com/repos/symfony/http-client/zipball/93b41572fbb3b8dd11d4f6f0434bbbbacd8619ab

Dependency Hierarchy:

  • symfony/http-client-v5.0.8 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5.

Publish Date: 2020-09-02

URL: CVE-2020-15094

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-754h-5r27-7x3r

Release Date: 2020-09-02

Fix Resolution: 4.4.13,5.1.5

symfony/profiler-pack-v1.0.4: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - symfony/profiler-pack-v1.0.4

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/profiler-pack-v1.0.4 version) Remediation Possible**
CVE-2022-23614 Critical 9.8 twig/twig-v3.0.3 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-23614

Vulnerable Library - twig/twig-v3.0.3

Twig, the flexible, fast, and secure template language for PHP

Library home page: https://api.github.com/repos/twigphp/Twig/zipball/3b88ccd180a6b61ebb517aea3b1a8906762a1dc2

Dependency Hierarchy:

  • symfony/profiler-pack-v1.0.4 (Root Library)
    • symfony/web-profiler-bundle-v5.0.8
      • twig/twig-v3.0.3 (Vulnerable Library)

Found in HEAD commit: ed625cb4686799e69f6af6c96efc1416f702951d

Found in base branch: main

Vulnerability Details

Twig is an open source template language for PHP. When in a sandbox mode, the arrow parameter of the sort filter must be a closure to avoid attackers being able to run arbitrary PHP functions. In affected versions this constraint was not properly enforced and could lead to code injection of arbitrary PHP code. Patched versions now disallow calling non Closure in the sort filter as is the case for some other filters. Users are advised to upgrade.

Publish Date: 2022-02-04

URL: CVE-2022-23614

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2022-23614

Release Date: 2024-08-01

Fix Resolution: v2.14.11,v3.3.8

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.