CVE-2012-6431 — Improper Authentication in Http-foundation

CWE-264 CWE-287 — Improper Authentication4 documents4 sources

Severity

6.4MEDIUMNVD

EPSS

0.2%

top 55.33%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Http-foundation Symfony Routing Symfony Security +2 more

Timeline

PublishedDec 27

Latest updateMay 17

Description

Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.

CVSS vector

AV:N/AC:L/C:P/I:P/A:NExploitability: 10.0 | Impact: 4.9

Affected Packages5 packages

▶Packagistsymfony/routing2.0.0 — 2.0.19

▶Packagistsymfony/security2.0.0 — 2.0.19

▶Packagistsymfony/symfony2.0.0 — 2.0.19

▶Packagistsymfony/http-foundation2.0.0 — 2.0.19

▶NVDsensiolabs/symfony20 versions+19

🔴Vulnerability Details

GHSA

Symfony Allows URI Restrictions Bypass Via Double-Encoded String↗2022-05-17

▶

OSV

Symfony Allows URI Restrictions Bypass Via Double-Encoded String↗2022-05-17

▶

CVEList

CVE-2012-6431: Symfony 2↗2012-12-27

▶