Sulu grants access to pages regardless of role permissions

2024-03-0420:45:08

Google

osv.dev

access control

permissions

vulnerability

web security

patch

version control

workaround

CVSS3

6.8

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

AI Score

6.9

Confidence

High

EPSS

Percentile

9.0%

JSON

Impact

What kind of vulnerability is it? Who is impacted?

Access to pages is granted regardless of role permissions for webspaces which have a security system configured and permission check enabled. Webspaces without do not have this issue.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem is patched with Version 2.4.17 and 2.5.13.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Remove following lines from vendor/symfony/security-http/HttpUtils.php:

-            // Shortcut if request has already been matched before
-            if ($request-&gt;attributes-&gt;has('_route')) {
-                return $path === $request-&gt;attributes-&gt;get('_route');
 -           }

Or do not install symfony/security-http versions greater equal than v5.4.30 or v6.3.6.