CVE-2020-5274

Exceptions displayed in non-debug configurations in Symfony

Severity Score

5.4

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5

En Symfony versiones anteriores a 5.0.5 y 4.4.5, algunas propiedades de la Excepción no fueron escapados apropiadamente cuando el "ErrorHandler" la renderizó en stacktrace. Además, el stacktrace fue desplegado incluso en una configuración sin depuración. ErrorHandler ahora escapa de todas las propiedades de la excepción, y el stacktrace se muestra solo en la configuración de depuración. Este problema está parcheado en Symfony/http-foundation versiones 4.4.5 y 5.0.5.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-02 CVE Reserved
2020-03-30 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC

References (3)

URL	Tag	Source
https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db	2020-04-01
https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad	2020-04-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				>= 4.4.0 < 4.4.4 Search vendor "Sensiolabs" for product "Symfony" and version " >= 4.4.0 < 4.4.4"		-		Affected
Sensiolabs Search vendor "Sensiolabs"		Symfony Search vendor "Sensiolabs" for product "Symfony"				>= 5.0.0 < 5.0.4 Search vendor "Sensiolabs" for product "Symfony" and version " >= 5.0.0 < 5.0.4"		-		Affected