CVE-2020-5275 — Improper Authorization in Symfony

CWE-285 — Improper Authorization CWE-863 — Incorrect Authorization8 documents6 sources

Severity

8.1HIGHNVD

CNA7.6

EPSS

0.3%

top 49.18%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Security +1 more

Timeline

PublishedMar 30

Latest updateApr 3

Description

In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in ve…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages6 packages

▶Packagistsymfony/security-http4.4.0 — 4.4.7+1

▶Packagistsymfony/security4.4.0 — 4.4.7+1

▶Packagistsymfony/symfony4.4.0 — 4.4.7+1

▶NVDsensiolabs/symfony4.4.0 — 4.4.7+1

▶Debiansymfony/symfony< 4.4.8-1+3

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http↗2020-03-30

▶

GHSA

Firewall configured with unanimous strategy was not actually unanimous in Symfony↗2020-03-30

▶

OSV

Firewall configured with unanimous strategy was not actually unanimous in Symfony↗2020-03-30

▶

OSV

CVE-2020-5275: In symfony/security-http before versions 4↗2020-03-30

▶

📋Vendor Advisories

Debian

CVE-2020-5275: symfony - In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` chec...↗2020

▶

💬Community

Bugzilla

CVE-2020-5275 php-symfony4: symfony: Insuficient atributes checking in firewall function could result in unauthorized access [fedora-all]↗2020-04-03

▶

Bugzilla

CVE-2020-5275 symfony: Insuficient atributes checking in firewall function could result in unauthorized access↗2020-04-03

▶