CVE-2021-21424 – Prevent user enumeration using Guard or the new Authenticator-based Security
https://notcve.org/view.php?id=CVE-2021-21424
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. Symfony es un framework PHP para aplicaciones web y de consola y un conjunto de componentes PHP reutilizables. • https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011 https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68 https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M https://lists.fedoraproject.org/archives/list/package-announce%40lists.fe • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVE-2020-15094 – RCE in Symfony
https://notcve.org/view.php?id=CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5. • https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78 https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC https://packagist.org/packages/symfony/http-kernel https://packagist.org/packages/symfony/symfony • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2020-5275 – Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
https://notcve.org/view.php?id=CVE-2020-5275
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. En symfony/security-http versiones anteriores a 4.4.7 y 5.0.7, cuando un "Firewall" comprueba la regla de control de acceso, itera sobre los atributos de cada regla y se detiene tan pronto como accessDecisionManager decide otorgar acceso sobre el atributo, impidiendo la comprobación de los siguientes atributos que deberían haberse tenido en cuenta en una estrategia unánime. AccessDecisionManager es ahora llamado con todos los atributos a la vez, permitiendo que la estrategia unánime sea aplicada en cada atributo. • https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVE-2020-5274 – Exceptions displayed in non-debug configurations in Symfony
https://notcve.org/view.php?id=CVE-2020-5274
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 En Symfony versiones anteriores a 5.0.5 y 4.4.5, algunas propiedades de la Excepción no fueron escapados apropiadamente cuando el "ErrorHandler" la renderizó en stacktrace. Además, el stacktrace fue desplegado incluso en una configuración sin depuración. • https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2020-5255 – Prevent cache poisoning via a Response Content-Type header
https://notcve.org/view.php?id=CVE-2020-5255
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7. En Symfony en versiones anteriores a las versiones 4.4.7 y 5.0.7, cuando una "Response" no contiene un encabezado "Content-Type", las versiones afectadas de Symfony pueden retroceder al formato definido en el encabezado "Accept" de la petición, conllevando a una posible falta de coincidencia entre el contenido response's y el encabezado "Content-Type". Cuando la respuesta es almacenada en caché, esto puede impedir el uso del sitio web por otros usuarios. • https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6 https://github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header • CWE-20: Improper Input Validation CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities •