As you know, the eighth version of one of the most popular CMS in the world, Drupal, is written using Symfony2. Symfony is a free framework written in PHP that uses the Model-View-Controller pattern. It offers fast development and management of web applications and has support for multiple databases (MySQL, PostgreSQL, SQLite or any other PDO-compatible DBMS).
Recently, a dangerous vulnerability was detected in the Symfony HttpFoundation component (CVE-2018-14773). As it turned out, the bug is dangerous for Drupal 8.x versions (up to 8.5.6).
The developers explain that the problem is related to the fact that Symfony supports IIS hedgers, which allows using specially modified X-Original-URL or X-Rewrite-URL headers in the HTTP request and causing the vulnerable system to bypass the access restriction, eventually processing another URL .
The bug was fixed in Symfony versions 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14 and 4.1.3, and Drupal engineers updated the CMS to the safe version 8.5.6.
Drupal developers note that a similar problem was also found in Zend Feed and Diactoros libraries, also part of Drupal. It is emphasized that in this case Drupal Core does not use the vulnerable functionality, although users are nevertheless recommended to update, in case their site or module directly works with Zend Feed or Diactoros.