ghsa-g4m9-5hpf-hx72
Vulnerability from github
Published
2020-03-30 20:09
Modified
2024-02-05 11:13
Severity ?
Summary
Firewall configured with unanimous strategy was not actually unanimous in Symfony
Details
Description
On Symfony before 4.4.0, when a Firewall checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if all calls to the accessDecisionManager decide to grant access.
As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as accessDecisionManager decide to grant access on one attribute.
Resolution
The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute.
The patch for this issue is available here for the 4.4 branch.
Credits
I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/security-http"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "4.4.0"
},
{
"fixed": "4.4.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "symfony/symfony"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.0.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5275"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2020-03-30T19:45:26Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Description\n-----------\n\nOn Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access.\n\nAs of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute.\n\nResolution\n----------\n\nThe `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. \n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch.\n\nCredits\n-------\n\nI would like to thank Antonio J. Garc\u00eda Lagar for reporting \u0026 Robin Chalas for fixing the issue.",
"id": "GHSA-g4m9-5hpf-hx72",
"modified": "2024-02-05T11:13:15Z",
"published": "2020-03-30T20:09:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5275"
},
{
"type": "WEB",
"url": "https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2020-5275.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2020-5275.yaml"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5275.yaml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ"
},
{
"type": "WEB",
"url": "https://symfony.com/cve-2020-5275"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Firewall configured with unanimous strategy was not actually unanimous in Symfony"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.