4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
Symfony is susceptible to unauthorized access. A malicious user can bypass URL signing and security rules by passing an empty or invalid hash to the _fragment
path to gain access to any controller since the application does not properly check if the _controller
attribute was set. This only affects applications which have ESI or SSI support enabled.
CPE | Name | Operator | Version |
---|---|---|---|
symfony/symfony | le | 2.6.7 | |
symfony/symfony | le | 2.5.11 | |
symfony/symfony | le | 2.3.28 | |
symfony/symfony | le | 2.4.10 |
lists.fedoraproject.org/pipermail/package-announce/2015-June/159513.html
lists.fedoraproject.org/pipermail/package-announce/2015-June/159603.html
lists.fedoraproject.org/pipermail/package-announce/2015-June/159610.html
symfony.com/blog/cve-2015-4050-esi-unauthorized-access
www.debian.org/security/2015/dsa-3276
www.securityfocus.com/bid/74928
www.debian.org/security/2015/dsa-3276