CVE-2021-41267 in Symfony
Summary
by MITRE • 11/24/2021
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 11/27/2021
The vulnerability described in CVE-2021-41267 affects the Symfony Http-Kernel component, which serves as the core HTTP kernel for the Symfony PHP framework used in web and console applications. This component manages HTTP requests and responses and implements security measures to protect against cache poisoning attacks by maintaining a whitelist of trusted headers. The security mechanism specifically filters headers that are not included in the "trusted_headers" allowed list, preventing potentially malicious headers from being processed in ways that could compromise application security. The flaw emerged in Symfony version 5.2 where developers introduced support for the X-Forwarded-Prefix header, a common HTTP header used to indicate the original prefix of a request that was forwarded through a proxy or load balancer. However, the implementation contained a critical oversight in how the component handled header forwarding during subrequest processing, creating an exploitable gap in the security model.
The technical flaw occurs when the X-Forwarded-Prefix header, which should only be processed when explicitly trusted, is inadvertently forwarded to subrequests even when it is not included in the trusted_headers configuration. This behavior creates a web cache poisoning vulnerability because attackers can inject malicious X-Forwarded-Prefix values into requests that are then processed by subrequests, potentially causing the application to cache incorrect or malicious responses. The vulnerability is particularly dangerous because it allows attackers to manipulate the application's behavior through cache manipulation, potentially leading to unauthorized access or data exposure. The issue stems from improper header validation logic that fails to respect the trusted headers whitelist when processing subrequests, effectively bypassing the security controls designed to prevent such attacks. This flaw directly violates the principle of least privilege in security design, where headers should only be processed when explicitly authorized.
The operational impact of this vulnerability is significant for Symfony applications that rely on caching mechanisms and proxy configurations. When exploited, the vulnerability enables attackers to poison web caches by injecting malicious X-Forwarded-Prefix values that can cause the application to cache incorrect responses or redirect users to malicious destinations. The attack vector is particularly effective in environments where applications are behind reverse proxies or load balancers that use X-Forwarded-Prefix headers for URL rewriting or path manipulation. Applications using Symfony 5.2 are at risk, with the vulnerability being resolved in versions 5.3.12 and later through proper header validation that prevents the X-Forwarded-Prefix header from being forwarded to subrequests when it is not explicitly trusted. This vulnerability has implications for organizations that depend on Symfony frameworks for their web applications, as it could lead to service disruption, data compromise, or unauthorized access through cache manipulation attacks.
The security implications of CVE-2021-41267 align with CWE-200, which covers information exposure through improper filtering of sensitive information, and relates to ATT&CK technique T1566.001 for credential access through spearphishing attachments or links. Organizations should implement immediate mitigation strategies including upgrading to Symfony 5.3.12 or later, properly configuring trusted headers in their application settings, and reviewing proxy configurations to ensure that only trusted headers are forwarded through their infrastructure. Additional defensive measures include monitoring cache behavior for unusual patterns, implementing proper header validation at multiple layers of the application architecture, and conducting security reviews of proxy and load balancer configurations. The vulnerability demonstrates the importance of comprehensive security testing for header handling mechanisms and the critical need for consistent security policies across all application components, particularly those involved in request processing and subrequest handling within web frameworks.