CVSS: 8.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5275 – Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
https://notcve.org/view.php?id=CVE-2020-5275
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. En symfony/security-http versiones anteriores a 4.4.7 y 5.0.7, cuando un "Firewall" comprueba la regla de control de acceso, itera sobre los atributos de cada regla y se detiene tan pronto como accessDecisionManager decide otorgar acceso sobre el atributo, impidiendo la comprobación de los siguientes atributos que deberían haberse tenido en cuenta en una estrategia unánime. AccessDecisionManager es ahora llamado con todos los atributos a la vez, permitiendo que la estrategia unánime sea aplicada en cada atributo. • https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5274 – Exceptions displayed in non-debug configurations in Symfony
https://notcve.org/view.php?id=CVE-2020-5274
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 En Symfony versiones anteriores a 5.0.5 y 4.4.5, algunas propiedades de la Excepción no fueron escapados apropiadamente cuando el "ErrorHandler" la renderizó en stacktrace. Además, el stacktrace fue desplegado incluso en una configuración sin depuración. • https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2020-5255 – Prevent cache poisoning via a Response Content-Type header
https://notcve.org/view.php?id=CVE-2020-5255
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7. En Symfony en versiones anteriores a las versiones 4.4.7 y 5.0.7, cuando una "Response" no contiene un encabezado "Content-Type", las versiones afectadas de Symfony pueden retroceder al formato definido en el encabezado "Accept" de la petición, conllevando a una posible falta de coincidencia entre el contenido response's y el encabezado "Content-Type". Cuando la respuesta es almacenada en caché, esto puede impedir el uso del sitio web por otros usuarios. • https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6 https://github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header • CWE-20: Improper Input Validation CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities •