Vulnerability of symfony/http-client (CVE-2024-50342 )

fakruzaruret

I get vulnerability notification when I update flarum on terminal. What should I do?

Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/http-client                                                              |
| CVE               | CVE-2024-50342                                                                   |
| Title             | CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetwor |
|                   | kHttpClient                                                                      |
| URL               | https://symfony.com/cve-2024-50342                                               |
| Affected versions | >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3 |
|                   | .0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,< |
|                   | 6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8                              |
| Reported at       | 2024-11-13T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

php flarum info

Flarum core: 1.8.10
PHP version: 8.2.27
MySQL version: 10.6.21-MariaDB-ubu2004
Loaded extensions: Core, date, libxml, openssl, pcre, zlib, filter, hash, json, pcntl, random, Reflection, SPL, session, standard, sodium, mysqlnd, PDO, xml, bcmath, bz2, calendar, ctype, curl, dom, mbstring, FFI, fileinfo, ftp, gd, gettext, iconv, imagick, imap, exif, mysqli, pdo_mysql, Phar, posix, pspell, readline, shmop, SimpleXML, soap, sockets, sysvmsg, sysvsem, sysvshm, tokenizer, xmlreader, xmlwriter, xsl, zip, ionCube Loader, Zend OPcache
+--------------------------------------+---------+--------+
| Flarum Extensions                    |         |        |
+--------------------------------------+---------+--------+
| ID                                   | Version | Commit |
+--------------------------------------+---------+--------+
| flarum-flags                         | v1.8.2  |        |
| flarum-tags                          | v1.8.4  |        |
| flarum-approval                      | v1.8.2  |        |
| flarum-suspend                       | v1.8.4  |        |
| flarum-mentions                      | v1.8.5  |        |
| flarum-subscriptions                 | v1.8.1  |        |
| fof-merge-discussions                | 1.4.1   |        |
| afrux-forum-widgets-core             | v0.1.7  |        |
| fof-user-directory                   | 1.4.0   |        |
| fof-follow-tags                      | 1.2.9   |        |
| fof-pages                            | 1.0.8   |        |
| fof-oauth                            | 1.6.16  |        |
| fof-impersonate                      | 1.2.0   |        |
| fof-byobu                            | 1.4.1   |        |
| flarum-sticky                        | v1.8.2  |        |
| walsgit-discussion-cards             | 1.2.0   |        |
| v17development-user-badges           | v1.1.0  |        |
| v17development-seo                   | v2.0.6  |        |
| sycho-profile-cover                  | v1.3.5  |        |
| michaelbelgium-discussion-views      | v7.3    |        |
| justoverclock-welcomebox             | 2.0.2   |        |
| justoverclock-last-registered-users  | 0.1.5   |        |
| justoverclock-feedback               | 0.1.9   |        |
| ianm-synopsis                        | 1.3.7   |        |
| ianm-syndication                     | 1.3.4   |        |
| ianm-level-ranks                     | 1.1.1   |        |
| ianm-html-head                       | 1.2.4   |        |
| ianm-follow-users                    | 1.4.11  |        |
| ianm-boring-avatars                  | 1.0.1   |        |
| fof-user-bio                         | 1.4.2   |        |
| fof-upload                           | 1.8.1   |        |
| fof-subscribed                       | 1.1.4   |        |
| fof-split                            | 1.1.1   |        |
| fof-socialprofile                    | 1.1.6   |        |
| fof-sitemap                          | 2.2.1   |        |
| fof-share-social                     | 1.2.0   |        |
| fof-recaptcha                        | 1.3.4   |        |
| fof-profile-image-crop               | 1.1.6   |        |
| fof-polls                            | 2.2.12  |        |
| fof-nightmode                        | 1.6.0   |        |
| fof-moderator-notes                  | 1.3.0   |        |
| fof-masquerade                       | 2.1.6   |        |
| fof-links                            | 1.3.0   |        |
| fof-ignore-users                     | 1.2.1   |        |
| fof-formatting                       | 1.0.3   |        |
| fof-filter                           | 1.2.0   |        |
| fof-drafts                           | 1.2.12  |        |
| fof-disposable-emails                | 1.0.0   |        |
| fof-discussion-language              | 1.3.6   |        |
| fof-direct-links                     | 1.0.1   |        |
| fof-cookie-consent                   | 1.1.3   |        |
| fof-bbcode-details                   | 1.1.2   |        |
| fof-anti-spam                        | 1.1.3   |        |
| flarum-statistics                    | v1.8.1  |        |
| flarum-markdown                      | v1.8.1  |        |
| flarum-lock                          | v1.8.2  |        |
| flarum-likes                         | v1.8.1  |        |
| flarum-lang-turkish                  | 1.34.0  |        |
| flarum-extension-manager             | v1.0.7  |        |
| flarum-emoji                         | v1.8.1  |        |
| flarum-bbcode                        | v1.8.0  |        |
| davwheat-session-keepalive           | 1.1.0   |        |
| datlechin-posted-on                  | v0.2.1  |        |
| datlechin-link-preview               | v1.6.0  |        |
| datlechin-discussion-count           | v0.1.0  |        |
| datlechin-copy-links                 | v1.0.1  |        |
| clarkwinkelmann-shadow-ban           | 1.1.0   |        |
| clarkwinkelmann-post-bookmarks       | 1.0.0   |        |
| clarkwinkelmann-mass-actions         | 1.1.2   |        |
| clarkwinkelmann-mailing              | 1.1.0   |        |
| clarkwinkelmann-group-list           | 1.0.0   |        |
| clarkwinkelmann-discussion-bookmarks | 2.0.1   |        |
| clarkwinkelmann-author-change        | 1.0.3   |        |
| blomstra-mark-unread                 | 0.2.0   |        |
| askvortsov-moderator-warnings        | v0.6.3  |        |
| afrux-top-posters-widget             | v0.1.4  |        |
| afrux-online-users-widget            | v0.1.9  |        |
| afrux-news-widget                    | v0.1.1  |        |
| afrux-forum-stats-widget             | v0.1.1  |        |
| acpl-mobile-tab                      | 1.4.5   |        |
+--------------------------------------+---------+--------+
Base URL: https://domain.com
Installation path: /home/user/web/domain.com/public_html
Queue driver: sync
Session driver: file
Scheduler status: Aktif
Mail driver: smtp
Debug mode: off

clarkwinkelmann

fakruzaruret can you run the command composer why symfony/http-client

This package doesn't seem to be installed on a default Flarum install. It must be a dependency of one of your extensions.

It's possible that the library is not even actually used by the extension. Just having a vulnerable package installed but not used by any extensions is generally not dangerous, unless your vendor folder is not properly protected against direct HTTP access.

Silvestrus

clarkwinkelmann I have the same situation. Here is the result:

composer why symfony/http-client
web-token/jwt-library 3.3.5 requires symfony/http-client (⁵.4|⁶.0|⁷.0)

luceos

I had a hit that sentry/sdk uses it on our demo. But l can't imagine it being used in a way that the vulnerability affects it as the affected feature NoPrivateNetworkHttpClient seems to be explicitly meant in certain edge cases: https://symfony.com/doc/current/http_client.html#ssrf-server-side-request-forgery-handling

clarkwinkelmann

Most extensions that use HTTP clients will never make requests to arbitrary user-provided URLs so would not be impacted.

Even for those that do, the amount of probing of the local network you could do depends on what the application does with the response, and whether it passes any of that information back to the client.

And even there, most Flarum hostings are probably running in isolated networks, without any other host in the private network to probe. Don't know if the vuln allows scanning anything on localhost.