Bitnami package
symfony
pkg:bitnami/symfony
Vulnerabilities (15)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-46735 | — | >= 6.0.0, < 6.3.8 | 6.3.8 | Nov 10, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now do | ||
| CVE-2023-46734 | — | >= 2.0.0, < 4.4.51 | 4.4.51 | Nov 10, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their in | ||
| CVE-2023-46733 | — | >= 5.4.21, < 5.4.31 | 5.4.31 | Nov 10, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in | ||
| CVE-2022-24894 | — | >= 2.0.0, < 4.4.50 | 4.4.50 | Feb 3, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionList | ||
| CVE-2022-24895 | — | >= 2.0.0, < 4.4.50 | 4.4.50 | Feb 3, 2023 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, | ||
| CVE-2022-23601 | — | < 5.3.15 | 5.3.15 | Feb 1, 2022 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the use | ||
| CVE-2021-41270 | — | >= 4.1.0, < 4.4.35 | 4.4.35 | Nov 24, 2021 | Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also | ||
| CVE-2021-41267 | — | >= 5.2.0, < 5.3.12 | 5.3.12 | Nov 24, 2021 | Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Sy | ||
| CVE-2021-41268 | — | >= 5.3.0, < 5.3.12 | 5.3.12 | Nov 24, 2021 | Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attac | ||
| CVE-2021-32693 | — | >= 5.3.0, < 5.3.2 | 5.3.2 | Jun 17, 2021 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticat | ||
| CVE-2021-21424 | — | >= 2.8.0, < 3.4.48 | 3.4.48 | May 13, 2021 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch user | ||
| CVE-2020-15094 | — | >= 4.4.0, < 4.4.13 | 4.4.13 | Sep 2, 2020 | In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The cl | ||
| CVE-2020-5275 | — | >= 4.4.0, < 4.4.7 | 4.4.7 | Mar 30, 2020 | In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that sh | ||
| CVE-2020-5274 | — | >= 4.4.0, < 4.4.4 | 4.4.4 | Mar 30, 2020 | In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the | ||
| CVE-2020-5255 | — | >= 4.4.0, < 4.4.7 | 4.4.7 | Mar 30, 2020 | In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Co |
- CVE-2023-46735Nov 10, 2023affected >= 6.0.0, < 6.3.8fixed 6.3.8
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in version 6.0.0 and prior to version 6.3.8, the error message in `WebhookController` returns unescaped user-submitted input. As of version 6.3.8, `WebhookController` now do
- CVE-2023-46734Nov 10, 2023affected >= 2.0.0, < 4.4.51fixed 4.4.51
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 2.0.0, 5.0.0, and 6.0.0 and prior to versions 4.4.51, 5.4.31, and 6.3.8, some Twig filters in CodeExtension use `is_safe=html` but don't actually ensure their in
- CVE-2023-46733Nov 10, 2023affected >= 5.4.21, < 5.4.31fixed 5.4.31
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in
- CVE-2022-24894Feb 3, 2023affected >= 2.0.0, < 4.4.50fixed 4.4.50
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionList
- CVE-2022-24895Feb 3, 2023affected >= 2.0.0, < 4.4.50fixed 4.4.50
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login,
- CVE-2022-23601Feb 1, 2022affected < 5.3.15fixed 5.3.15
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the use
- CVE-2021-41270Nov 24, 2021affected >= 4.1.0, < 4.4.35fixed 4.4.35
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also
- CVE-2021-41267Nov 24, 2021affected >= 5.2.0, < 5.3.12fixed 5.3.12
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Sy
- CVE-2021-41268Nov 24, 2021affected >= 5.3.0, < 5.3.12fixed 5.3.12
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attac
- CVE-2021-32693Jun 17, 2021affected >= 5.3.0, < 5.3.2fixed 5.3.2
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticat
- CVE-2021-21424May 13, 2021affected >= 2.8.0, < 3.4.48fixed 3.4.48
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch user
- CVE-2020-15094Sep 2, 2020affected >= 4.4.0, < 4.4.13fixed 4.4.13
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The cl
- CVE-2020-5275Mar 30, 2020affected >= 4.4.0, < 4.4.7fixed 4.4.7
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that sh
- CVE-2020-5274Mar 30, 2020affected >= 4.4.0, < 4.4.4fixed 4.4.4
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the
- CVE-2020-5255Mar 30, 2020affected >= 4.4.0, < 4.4.7fixed 4.4.7
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Co