CVE-2020-5275 – symfony/security-http

Package

Manager: composer
Name: symfony/security-http
Vulnerable Version: >=4.4.0 <4.4.7 || >=5.0.0 <5.0.7

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00274 pctl0.5047

Details

Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.

Metadata

Created: 2020-03-30T20:09:44Z
Modified: 2024-02-05T11:13:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-g4m9-5hpf-hx72/GHSA-g4m9-5hpf-hx72.json
CWE IDs: ["CWE-285"]
Alternative ID: GHSA-g4m9-5hpf-hx72
Finding: F039
Auto approve: 1