Known security vulnerabilities detected

acardosodev

Vulnerabilities
CVE-2020-5255 Low severity

Dependency

symfony/http-foundation

Version >= 4.4.0 < 4.4.7
Upgrade to ~> 4.4.7

Description
When a Response does not contain a Content-Type header, Symfony falls back to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one.

Resolution
Symfony does not use the Accept header anymore to guess the Content-Type.

The patch for this issue is available here for the 4.4 branch.

Credits
I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

CVE 2020 5255 Symfony.com

CVE 2020 5255 Mitre

CVE 2020 5255 Nist

clarkwinkelmann

acardosodev thanks for the report.

I believe Flarum is not impacted by that vulnerability. We do have symfony/http-foundation as a dependecy of two Laravel packages, but we don't actually use the Symfony request/response classes, only file upload and session related classes.

All requests and responses in Flarum are handled via Zend-now-Laminas classes, and I believe we also have an explicit content type on every response.

We will discuss whether an update to our dependency requirements is necessary for the next beta. If we discover Flarum actually being vulnerable we'll make an official announcement.

In the meantime, users are already able to update to the fixed version of the Symfony package with the command composer update symfony/http-foundation without any change required in Flarum.