In Request::getHost(), if the underlying web server is not correctly configured to deny requests that come from untrusted domain names, the absolute URL generation would be vulnerable to HOST http header attack.Besides, because of how the RFC2616 is written, web servers are still vulnerable if the Request-URI is an absolute URL and the HOST header does not match.
See announcement on Symfony blog for details on how to apply.
The blog post details two security issues:
- Affects eZ Publish out of the box: "CVE-2013-4752: Request::getHost() poisoning"
- Affects you if you use the Validator component in custom code: "CVE-2013-4751: Validation metadata serialization and loss of information"
For further info see: http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released
