1. CVE-Search
  2. CVE-2020-5275
ID CVE-2020-5275
Summary In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.
References
Vulnerable Configurations
  • cpe:2.3:a:sensiolabs:symfony:4.4.0:-:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.0:-:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:4.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:4.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.0:-:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.0:-:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.0:rc1:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.0:rc1:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.2:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.2:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.3:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.3:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:sensiolabs:symfony:5.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:sensiolabs:symfony:5.0.6:*:*:*:*:*:*:*
CVSS
Base: 5.5 (as of 09-04-2020 - 17:15)
Impact:
Exploitability:
CWE CWE-863
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:P/A:N
refmap via4
confirm
fedora FEDORA-2020-fade6a8df7
Last major update 09-04-2020 - 17:15
Published 30-03-2020 - 20:15
Last modified 09-04-2020 - 17:15
Back to Top