GHSA-m884-279h-32v2
Suggest an improvement- Source
- https://github.com/advisories/GHSA-m884-279h-32v2
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-m884-279h-32v2/GHSA-m884-279h-32v2.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-m884-279h-32v2
- Aliases
- Published
- 2020-03-30T20:09:31Z
- Modified
- 2024-02-16T08:18:29.975295Z
- Severity
-
- 4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Exceptions displayed in non-debug configurations in Symfony
- Details
-
Description
When
ErrorHandlerrenders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-debugenvironments.Resolution
The
ErrorHandlerclass now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-debugenvironments.The patches for this issue are available here and here for branch 4.4.
Credits
I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-209" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-03-30T19:36:11Z" }- References
-
- https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2
- https://nvd.nist.gov/vuln/detail/CVE-2020-5274
- https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db
- https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/error-handler/CVE-2020-5274.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5274.yaml
- https://symfony.com/cve-2020-5274
Affected packages
Packagist / symfony/error-handler
Package
- Name
- symfony/error-handler
- Purl
- pkg:composer/symfony/error-handler
Packagist / symfony/error-handler
Package
- Name
- symfony/error-handler
- Purl
- pkg:composer/symfony/error-handler
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony