CVE-2020-5255

2020-03-3020:15:19

Debian Security Bug Tracker

security-tracker.debian.org

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

54.9%

JSON

In Symfony before versions 4.4.7 and 5.0.7, when a Response does not contain a Content-Type header, affected versions of Symfony can fallback to the format defined in the Accept header of the request, leading to a possible mismatch between the response's content and Content-Type header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7.

OSVersionArchitecturePackageVersionFilename
Debian12allsymfony< 4.4.8-1symfony_4.4.8-1_all.deb
Debian11allsymfony< 4.4.8-1symfony_4.4.8-1_all.deb
Debian10allsymfony< 3.4.22+dfsg-2+deb10u1symfony_3.4.22+dfsg-2+deb10u1_all.deb
Debian999allsymfony< 4.4.8-1symfony_4.4.8-1_all.deb
Debian13allsymfony< 4.4.8-1symfony_4.4.8-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	symfony	< 4.4.8-1	symfony_4.4.8-1_all.deb
Debian	11	all	symfony	< 4.4.8-1	symfony_4.4.8-1_all.deb
Debian	10	all	symfony	< 3.4.22+dfsg-2+deb10u1	symfony_3.4.22+dfsg-2+deb10u1_all.deb
Debian	999	all	symfony	< 4.4.8-1	symfony_4.4.8-1_all.deb
Debian	13	all	symfony	< 4.4.8-1	symfony_4.4.8-1_all.deb