Incorrect Authorization Affecting symfony package, versions <4.4.8-1


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.1% (42nd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Incorrect Authorization vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN12-SYMFONY-1560194
  • published31 Mar 2020
  • disclosed30 Mar 2020

Introduced: 30 Mar 2020

CVE-2020-5275  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

Upgrade Debian:12 symfony to version 4.4.8-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream symfony package and not the symfony package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.

CVSS Scores

version 3.1