Casa > cibernético Notícias > CVE-2018-14773 Symfony Flaw Affects Drupal Versions 8.x-8.5.6
CYBER NEWS

CVE-2018-14773 A falha do Symfony afeta as versões do Drupal 8.x-8.5.6


Uma nova vulnerabilidade foi descoberta, CVE-2018-14773, that affects Drupal, the popular open-source content management system. Mais especificamente, the vulnerability resides in a component of a third-party library called Symfony Http Foundation component. The component is part of Drupal Core, with Drupal 8.x versions affected prior to version 8.5.6.




Official Description of CVE-2018-14773

Support for a (legado) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.

Também deve-se notar que, since Symfony, the web application framework with a set of PHP components, is being used by a lot of projects, the flaw could potentially put many web applications at risk of hacking. Remote attackers could exploit the flaw via a specially crafted ‘X-Original-URLor ‘X-Rewrite-URLHTTP header value, which overrides the path in the request URL and could sidestep access restrictions. Como um resultado, the target system could render a different URL.

Felizmente, CVE-2018-14773 has been fixed in Symfony version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, e 4.1.3. Drupal has also patched the flaw in its latest version Drupal 8.5.6.

CVE-2018-14773 Аlso Found in in the Zend Framework

The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core, pesquisadores warned. Please note that Drupal core doesn’t use the vulnerable functionality. Contudo, if a site or module uses Zend Feed or Diactoros directly, the admin of the site should refer to the Zend Framework security consultivo.

Story relacionado: CVE-2018-7602 Bug Drupal altamente crítico ativamente exploradas no selvagem

Drupal was recently criticized due to a number of critical security issues which researchers dubbed Drupalgeddon.

Em abril, another Drupalgeddon remote code execution bug was discovered in the content management system. Identificado como CVE-2018-7602, the highly critical vulnerability affected Drupal versions 7.x and 8.x. The bug was actively exploited in the wild.

Milena Dimitrova

Milena Dimitrova

Um escritor inspirado e gerente de conteúdo que está com SensorsTechForum desde o início do projeto. Um profissional com 10+ anos de experiência na criação de conteúdo envolvente. Focada na privacidade do usuário e desenvolvimento de malware, ela acredita fortemente em um mundo onde a segurança cibernética desempenha um papel central. Se o senso comum não faz sentido, ela vai estar lá para tomar notas. Essas notas podem mais tarde se transformar em artigos! Siga Milena @Milenyim

mais Posts

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...