Lucene search

K
cvelistGitHub_MCVELIST:CVE-2020-5275
HistoryMar 30, 2020 - 7:45 p.m.

CVE-2020-5275 Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http

2020-03-3019:45:14
CWE-285
GitHub_M
www.cve.org

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.4%

In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall checks access control rule, it iterate overs each rule’s attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.

CNA Affected

[
  {
    "product": "symfony",
    "vendor": "symfony",
    "versions": [
      {
        "status": "affected",
        "version": ">= 4.4.0, < 4.4.7"
      },
      {
        "status": "affected",
        "version": ">= 5.0.0, < 5.0.7"
      }
    ]
  }
]

7.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

7.9 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.4%