Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
CVE-2020-5275

7.6HIGH

Key Information:

Vendor
Symfony
Status
Symfony
Vendor
CVE Published:
30 March 2020

Summary

In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.

Affected Version(s)

symfony >= 4.4.0, < 4.4.7 < 4.4.0, 4.4.7

symfony >= 5.0.0, < 5.0.7 < 5.0.0, 5.0.7

References

https://github.com/symfony/symfony/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/symfony/symfony/commit/c935e4a3fba6cc2...
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.