8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
5.5 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
40.4%
In symfony/security-http before versions 4.4.7 and 5.0.7, when a Firewall
checks access control rule, it iterate overs each rule’s attributes and
stops as soon as the accessDecisionManager decides to grant access on the
attribute, preventing the check of next attributes that should have been
take into account in an unanimous strategy. The accessDecisionManager is
now called with all attributes at once, allowing the unanimous strategy
being applied on each attribute. This issue is patched in versions 4.4.7
and 5.0.7.
github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf
github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72
launchpad.net/bugs/cve/CVE-2020-5275
nvd.nist.gov/vuln/detail/CVE-2020-5275
security-tracker.debian.org/tracker/CVE-2020-5275
symfony.com/blog/cve-2020-5275-all-access-control-rules-are-required-when-a-firewall-uses-the-unanimous-strategy
www.cve.org/CVERecord?id=CVE-2020-5275
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
5.5 Medium
CVSS2
Access Vector
Access Complexity
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
40.4%