GHSA-g4m9-5hpf-hx72

Source

https://github.com/advisories/GHSA-g4m9-5hpf-hx72

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-g4m9-5hpf-hx72/GHSA-g4m9-5hpf-hx72.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g4m9-5hpf-hx72

Aliases

Related

CVE-2020-5275

Published

2020-03-30T20:09:44Z

Modified

2024-02-16T08:21:05.124729Z

Severity

7.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

Firewall configured with unanimous strategy was not actually unanimous in Symfony

Details

Description

On Symfony before 4.4.0, when a Firewall checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if all calls to the accessDecisionManager decide to grant access.

As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as accessDecisionManager decide to grant access on one attribute.

Resolution

The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute.

The patch for this issue is available here for the 4.4 branch.

Credits

I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-285"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-03-30T19:45:26Z"
}

References

Affected packages

Packagist / symfony/security

Package

Name: symfony/security
Purl: pkg:composer/symfony/security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Fixed

4.4.7

Affected versions

v4.*

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

Packagist / symfony/security

Package

Name: symfony/security
Purl: pkg:composer/symfony/security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.7

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony/security-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Fixed

4.4.7

Affected versions

v4.*

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony/security-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.7

Affected versions

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.4.0

Fixed

4.4.7

Affected versions

v4.*

v4.4.0

v4.4.1

v4.4.2

v4.4.3

v4.4.4

v4.4.5

v4.4.6

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.0.7

Affected versions

v5.*

v5.0.0

v5.0.1

v5.0.2

v5.0.3

v5.0.4

v5.0.5

v5.0.6