Debian Symfony vulnerabilities

CVE-2021-32693 [MEDIUM] CVE-2021-32693: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl... Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused

CVE-2020-5275 [HIGH] CVE-2020-5275: symfony - In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` chec... In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is no

CVE-2020-15094 [HIGH] CVE-2020-15094: symfony - In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from th... In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls

CVE-2020-5274 [MEDIUM] CVE-2020-5274: symfony - In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception wer... In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patc

CVE-2020-5255 [LOW] CVE-2020-5255: symfony - In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a... In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by oth

CVE-2019-10910 [CRITICAL] CVE-2019-10910: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1... In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, when service ids allow user input, this could allow for SQL Injection and remote code execution. This is related to symfony/dependency-injection. Scope: local bookworm: resolved (fixed in 3.4.22+dfsg-2) bullseye: resolved (fixed in 3.4.22+dfsg-2) forky: r

CVE-2019-18889 [CRITICAL] CVE-2019-18889: symfony - An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, a... An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache. Scope: local bookworm: resolved (fixed in 4.3.8+dfsg-1) bullseye: resolved (fixed in 4.3.8+dfsg-1) forky: resolved (fixed in 4.3.8+dfsg-1) sid

CVE-2019-10913 [CRITICAL] CVE-2019-10913: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1... In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, HTTP Methods provided as verbs or using the override header may be treated as trusted input, but they are not validated, possibly causing SQL injection or XSS. This is related to symfony/http-foundation. Scope: local bookworm: resolved (fixed in 3.4.22+df

CVE-2019-11325 [CRITICAL] CVE-2019-11325: symfony - An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The Var... An issue was discovered in Symfony before 4.2.12 and 4.3.x before 4.3.8. The VarExport component incorrectly escapes strings, allowing some specially crafted ones to escalate to execution of arbitrary PHP code. This is related to symfony/var-exporter. Scope: local bookworm: resolved (fixed in 4.3.8+dfsg-1) bullseye: resolved (fixed in 4.3.8+dfsg-1) forky: resolv

CVE-2019-10912 [HIGH] CVE-2019-10912: symfony - In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before... In Symfony before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, it is possible to cache objects that may contain bad user input. On serialization or unserialization, this could result in the deletion of files that the current user has access to. This is related to symfony/cache and symfony/phpunit-bridge. Scope: local bookworm: resolved (fixe

CVE-2019-18888 [HIGH] CVE-2019-18888: symfony - An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4... An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arbitrary arguments are passed to the underlying file command. This is related to symfony/http-foundation (and symfony/mime in 4.3.x

CVE-2019-18887 [HIGH] CVE-2019-18887: symfony - An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4... An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel. Scope: local bookworm: resolved (fixed in 4.3.8+dfsg-1) bullseye: resolved (fixed in 4.3.8+dfsg-1) forky: resolved (fixed in 4.3.8+dfsg-1) sid: resolved (fix

CVE-2019-10911 [HIGH] CVE-2019-10911: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1... In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security. Scope: local bookworm: resolved (fixed in 3.4.22+dfsg-2) bullseye: r

CVE-2019-10909 [MEDIUM] CVE-2019-10909: symfony - In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1... In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, validation messages are not escaped, which can lead to XSS when user input is included. This is related to symfony/framework-bundle. Scope: local bookworm: resolved (fixed in 3.4.22+dfsg-2) bullseye: resolved (fixed in 3.4.22+dfsg-2) forky: resolved (fixed

CVE-2019-18886 [MEDIUM] CVE-2019-18886: symfony - An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The abili... An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security. Scope: local bookworm: resolved (fixed in 4.3.8+dfsg-1) bullseye: resolved (f

CVE-2018-11407 [CRITICAL] CVE-2018-11407: symfony - An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.... An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.

CVE-2018-11385 [HIGH] CVE-2018-11385: symfony - An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48... An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attack

CVE-2018-11406 [HIGH] CVE-2018-11406: symfony - An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48... An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout

CVE-2018-14774 [HIGH] CVE-2018-14774: symfony - An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 thr... An issue was discovered in HttpKernel in Symfony 2.7.0 through 2.7.48, 2.8.0 through 2.8.43, 3.3.0 through 3.3.17, 3.4.0 through 3.4.13, 4.0.0 through 4.0.13, and 4.1.0 through 4.1.2. When using HttpCache, the values of the X-Forwarded-Host headers are implicitly set as trusted while this should be forbidden, leading to potential host header injection. Scope: local

CVE-2018-19790 [MEDIUM] CVE-2018-19790: symfony - An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8... An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login. S