High severityNVD Advisory· Published Mar 30, 2020· Updated Aug 4, 2024
Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
CVE-2020-5275
Description
In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/securityPackagist | >= 4.4.0, < 4.4.7 | 4.4.7 |
symfony/securityPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
symfony/security-httpPackagist | >= 4.4.0, < 4.4.7 | 4.4.7 |
symfony/security-httpPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
symfony/symfonyPackagist | >= 4.4.0, < 4.4.7 | 4.4.7 |
symfony/symfonyPackagist | >= 5.0.0, < 5.0.7 | 5.0.7 |
Affected products
5- osv-coords4 versionspkg:bitnami/symfonypkg:composer/symfony/securitypkg:composer/symfony/security-httppkg:composer/symfony/symfony
>= 4.4.0, < 4.4.7+ 3 more
- (no CPE)range: >= 4.4.0, < 4.4.7
- (no CPE)range: >= 4.4.0, < 4.4.7
- (no CPE)range: >= 4.4.0, < 4.4.7
- (no CPE)range: >= 4.4.0, < 4.4.7
- Range: >= 4.4.0, < 4.4.7
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-g4m9-5hpf-hx72ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2020-5275ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2020-5275.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2020-5275.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5275.yamlghsaWEB
- github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebfghsax_refsource_CONFIRMWEB
- github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72ghsax_refsource_CONFIRMWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQghsaWEB
- symfony.com/cve-2020-5275ghsaWEB
News mentions
0No linked articles in our index yet.