CVE-2020-15094 – RCE in Symfony
https://notcve.org/view.php?id=CVE-2020-15094
In Symfony before versions 4.4.13 and 5.1.5, the CachingHttpClient class from the HttpClient Symfony component relies on the HttpCache class to handle requests. HttpCache uses internal headers like X-Body-Eval and X-Body-File to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by CachingHttpClient and if an attacker can control the response for a request being made by the CachingHttpClient, remote code execution is possible. This has been fixed in versions 4.4.13 and 5.1.5. • https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78 https://github.com/symfony/symfony/security/advisories/GHSA-754h-5r27-7x3r https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HNGUWOEETOFVH4PN3I3YO4QZHQ4AUKF3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VAQJXAKWPMWB7OL6QPG2ZSEQZYYPU5RC https://packagist.org/packages/symfony/http-kernel https://packagist.org/packages/symfony/symfony • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2020-5275 – Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
https://notcve.org/view.php?id=CVE-2020-5275
In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7. En symfony/security-http versiones anteriores a 4.4.7 y 5.0.7, cuando un "Firewall" comprueba la regla de control de acceso, itera sobre los atributos de cada regla y se detiene tan pronto como accessDecisionManager decide otorgar acceso sobre el atributo, impidiendo la comprobación de los siguientes atributos que deberían haberse tenido en cuenta en una estrategia unánime. AccessDecisionManager es ahora llamado con todos los atributos a la vez, permitiendo que la estrategia unánime sea aplicada en cada atributo. • https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ • CWE-285: Improper Authorization CWE-863: Incorrect Authorization •
CVE-2020-5274 – Exceptions displayed in non-debug configurations in Symfony
https://notcve.org/view.php?id=CVE-2020-5274
In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5 En Symfony versiones anteriores a 5.0.5 y 4.4.5, algunas propiedades de la Excepción no fueron escapados apropiadamente cuando el "ErrorHandler" la renderizó en stacktrace. Además, el stacktrace fue desplegado incluso en una configuración sin depuración. • https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVE-2020-5255 – Prevent cache poisoning via a Response Content-Type header
https://notcve.org/view.php?id=CVE-2020-5255
In Symfony before versions 4.4.7 and 5.0.7, when a `Response` does not contain a `Content-Type` header, affected versions of Symfony can fallback to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can prevent the use of the website by other users. This has been patched in versions 4.4.7 and 5.0.7. En Symfony en versiones anteriores a las versiones 4.4.7 y 5.0.7, cuando una "Response" no contiene un encabezado "Content-Type", las versiones afectadas de Symfony pueden retroceder al formato definido en el encabezado "Accept" de la petición, conllevando a una posible falta de coincidencia entre el contenido response's y el encabezado "Content-Type". Cuando la respuesta es almacenada en caché, esto puede impedir el uso del sitio web por otros usuarios. • https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6 https://github.com/symfony/symfony/security/advisories/GHSA-mcx4-f5f5-4859 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ https://symfony.com/blog/cve-2020-5255-prevent-cache-poisoning-via-a-response-content-type-header • CWE-20: Improper Input Validation CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities •
CVE-2013-4752
https://notcve.org/view.php?id=CVE-2013-4752
Symfony 2.0.X before 2.0.24, 2.1.X before 2.1.12, 2.2.X before 2.2.5, and 2.3.X before 2.3.3 have an issue in the HttpFoundation component. The Host header can be manipulated by an attacker when the framework is generating an absolute URL. A remote attacker could exploit this vulnerability to inject malicious content into the Web application page and conduct various attacks. Symfony versiones 2.0.X anteriores a 2.0.24, versiones 2.1.X anteriores a 2.1.12, versiones 2.2.X anteriores a 2.2.5 y versiones 2.3.X anteriores a 2.3.3, tienen un problema en el componente HttpFoundation. El atacante puede manipular el encabezado del host cuando el framework está generando una URL absoluta. • http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114450.html http://lists.fedoraproject.org/pipermail/package-announce/2013-August/114461.html http://symfony.com/blog/security-releases-symfony-2-0-24-2-1-12-2-2-5-and-2-3-3-released http://www.securityfocus.com/bid/61715 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4752 https://exchange.xforce.ibmcloud.com/vulnerabilities/86365 https://exchange.xforce.ibmcloud.com/vulnerabilities/86366 https://exchange.xforce.ibm • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •