CVE-2021-41270 – CSV Injection in Symfony
https://notcve.org/view.php?id=CVE-2021-41270
Symfony/Serializer handles serializing and deserializing data structures for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Symfony versions 4.1.0 before 4.4.35 and versions 5.0.0 before 5.3.12 are vulnerable to CSV injection, also known as formula injection. In Symfony 4.1, maintainers added the opt-in `csv_escape_formulas` option in the `CsvEncoder`, to prefix all cells starting with `=`, `+`, `-` or `@` with a tab `\t`. Since then, OWASP added 2 chars in that list: Tab (0x09) and Carriage return (0x0D). This makes the previous prefix char (Tab `\t`) part of the vulnerable characters, and OWASP suggests using the single quote `'` for prefixing the value. • https://github.com/symfony/symfony/commit/3da6f2d45e7536ccb2a26f52fbaf340917e208a8 https://github.com/symfony/symfony/pull/44243 https://github.com/symfony/symfony/releases/tag/v5.3.12 https://github.com/symfony/symfony/security/advisories/GHSA-2xhg-w2g5-w95x https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BPT4SF6SIXFMZARDWED5T32J7JEH3EP https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QSREFD2TJT5LWKM6S4MD3W26NQQ5WJUP • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2021-41267 – Webcache Poisoning in Symfony
https://notcve.org/view.php?id=CVE-2021-41267
Symfony/Http-Kernel is the HTTP kernel component for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Headers that are not part of the "trusted_headers" allowed list are ignored and protect users from "Cache poisoning" attacks. In Symfony 5.2, maintainers added support for the `X-Forwarded-Prefix` headers, but this header was accessible in SubRequest, even if it was not part of the "trusted_headers" allowed list. An attacker could leverage this opportunity to forge requests containing a `X-Forwarded-Prefix` header, leading to a web cache poisoning issue. Versions 5.3.12 and later have a patch to ensure that the `X-Forwarded-Prefix` header is not forwarded to subrequests when it is not trusted. • https://github.com/symfony/symfony/commit/95dcf51682029e89450aee86267e3d553aa7c487 https://github.com/symfony/symfony/pull/44243 https://github.com/symfony/symfony/releases/tag/v5.3.12 https://github.com/symfony/symfony/security/advisories/GHSA-q3j3-w37x-hq2q • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2021-41268 – Cookie persistence in Symfony
https://notcve.org/view.php?id=CVE-2021-41268
Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore. • https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc https://github.com/symfony/symfony/pull/44243 https://github.com/symfony/symfony/releases/tag/v5.3.12 https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr • CWE-384: Session Fixation •
CVE-2021-32693 – Authentication granted with multiple firewalls
https://notcve.org/view.php?id=CVE-2021-32693
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused when the application defines different providers for each part of the application, in such a situation, a user authenticated on a part of the application could be considered authenticated on the rest of the application. Starting in version 5.3.2, a patch ensures that the authenticated token is only available for the firewall that generates it. • https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129 https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728 https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one • CWE-287: Improper Authentication •