CVE-2018-14773 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Access restriction bypass
Description	Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers. The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-744	drupal	8.5.5-1	8.5.6-1	Medium	Fixed

References
https://symfony.com/blog/cve-2018-14773-remove-support-for-legacy-and-risky-http-headers https://github.com/symfony/symfony/commit/e447e8b92148ddb3d1956b96638600ec95e08f6b