Symfony vulnerable to code injection


Symfony is an open source web application framework provided by SensioLabs. Symfony contains a code injection vulnerability. Applications with ESI support enabled and using the Symfony built-in reverse proxy (the HttpCache class) are affected.

Takeshi Terada of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial

Affected Products

Sensio Labs
  • Symfony 2.0.x, 2.1.x, 2.2.x, 2.3.x, 2.4.x, 2.5.x, 2.6.x


Arbitrary PHP code may be executed on the server where an application using Symfony resides.

[Update the software]
Update to the appropriate version according to the information provided by the developer.
This vulnerability has been addressed in Symfony 2.3.27, 2.5.11 and 2.6.6.

Note that Symfony 2.0, 2.1, 2.2 and 2.4 are no longer being developed or supported therefore this issue has not been fixed in these versions.
Vendor Information

Sensio Labs
CWE (What is CWE?)

  1. Code Injection(CWE-94) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2015-2308

  1. JVN : JVN#19578958
  2. National Vulnerability Database (NVD) : CVE-2015-2308
  3. IPA SECURITY ALERTS : Security Alert for Vulnerability in Symfony (JVN#19578958) (in Japanese)
Revision History

  Web page was published
  References : Content was added