GHSA-G4M9-5HPF-HX72
Vulnerability from github – Published: 2020-03-30 20:09 – Updated: 2024-02-05 11:13
VLAI?
Summary
Firewall configured with unanimous strategy was not actually unanimous in Symfony
Details
Description
On Symfony before 4.4.0, when a Firewall checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if all calls to the accessDecisionManager decide to grant access.
As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as accessDecisionManager decide to grant access on one attribute.
Resolution
The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute.
The patch for this issue is available here for the 4.4 branch.
Credits
I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.
Severity ?
7.6 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5275"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-30T19:45:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Description\n-----------\n\nOn Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access.\n\nAs of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute.\n\nResolution\n----------\n\nThe `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. \n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch.\n\nCredits\n-------\n\nI would like to thank Antonio J. Garc\u00eda Lagar for reporting \u0026 Robin Chalas for fixing the issue.",
"id": "GHSA-g4m9-5hpf-hx72",
"modified": "2024-02-05T11:13:15Z",
"published": "2020-03-30T20:09:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5275"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2020-5275.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2020-5275.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5275.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2020-5275"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Firewall configured with unanimous strategy was not actually unanimous in Symfony"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…