CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41267 – Webcache Poisoning in Symfony
https://notcve.org/view.php?id=CVE-2021-41267
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted. • https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487 https://github.com/symfony/symfony/pull/44243 https://github.com/symfony/symfony/releases/tag/v5.3.12 https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-21424 – Prevent user enumeration using Guard or the new Authenticator-based Security
https://notcve.org/view.php?id=CVE-2021-21424
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. Symfony es un framework PHP para aplicaciones web y de consola y un conjunto de componentes PHP reutilizables. • https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011 https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68 https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M https://lists.fedoraproject.org/archives/list/package-announce%40lists.fe • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2020-15094 – RCE in Symfony
https://notcve.org/view.php?id=CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5. • https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78 https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC https://packagist.org/packages/symfony/http-kernel https://packagist.org/packages/symfony/symfony • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5275 – Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
https://notcve.org/view.php?id=CVE-2020-5275
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. En symfony/security-http versiones anteriores a 4.4.7 y 5.0.7, cuando un "Firewall" comprueba la regla de control de acceso, itera sobre los atributos de cada regla y se detiene tan pronto como accessDecisionManager decide otorgar acceso sobre el atributo, impidiendo la comprobación de los siguientes atributos que deberían haberse tenido en cuenta en una estrategia unánime. AccessDecisionManager es ahora llamado con todos los atributos a la vez, permitiendo que la estrategia unánime sea aplicada en cada atributo. • https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5274 – Exceptions displayed in non-debug configurations in Symfony
https://notcve.org/view.php?id=CVE-2020-5274
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 En Symfony versiones anteriores a 5.0.5 y 4.4.5, algunas propiedades de la Excepción no fueron escapados apropiadamente cuando el "ErrorHandler" la renderizó en stacktrace. Además, el stacktrace fue desplegado incluso en una configuración sin depuración. • https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2 • CWE-209: Generation of Error Message Containing Sensitive Information •