GitHub_MCVELIST:CVE-2020-5275CVE-2020-5275 Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
7.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.5%
In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule’s attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.
CNA Affected
[
{
"product": "symfony",
"vendor": "symfony",
"versions": [
{
"status": "affected",
"version": ">= 4.4.0, < 4.4.7"
},
{
"status": "affected",
"version": ">= 5.0.0, < 5.0.7"
}
]
}
]Related
7.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
7.9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.5%