Exceptions displayed in non-debug configurations in Symfony
CVE-2020-5274

4.6MEDIUM

Key Information:

Vendor

Symfony

Status
Symfony
Vendor
CVE Published:
30 March 2020

What is CVE-2020-5274?

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the ErrorHandler rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5

Affected Version(s)

symfony >= 4.0.0, < 4.4.5 < 4.0.0, 4.4.5

symfony >= 5.0.0, < 5.0.5 < 5.0.0, 5.0.5

References

https://github.com/symfony/symfony/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/symfony/symfony/commit/629d21b800a15dc...
x_refsource_MISC
https://github.com/symfony/symfony/commit/cf80224589ac054...
x_refsource_MISC

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.