Channel Accessible by Non-Endpoint

CVE-2015-2309

Medium

6.5/10

Summary

Symfony in versions before 2.3.27, 2.4.x before 2.5.11, and 2.6.x before 2.6.6 is vulnerable to a Man-in-the-Middle, as the vulnerable component defaults to trusting the latest proxy before the web-server, even if an untrusted client is involved in the request.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-300 - Channel Accessible by Non-Endpoint

The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.

References

Advisory
Pull request

Advisory Timeline

Published Apr 01, 2015

Channel Accessible by Non-Endpoint

CVE-2015-2309

Summary

CWE-300 - Channel Accessible by Non-Endpoint

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS