Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
CVE-2020-5275

7.6HIGH

Key Information:

Vendor

Symfony

Status
Symfony
Vendor
CVE Published:
30 March 2020

What is CVE-2020-5275?

In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

symfony >= 4.4.0, < 4.4.7 < 4.4.0, 4.4.7

symfony >= 5.0.0, < 5.0.7 < 5.0.0, 5.0.7

References

https://github.com/symfony/symfony/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/symfony/symfony/commit/c935e4a3fba6cc2...
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.