CVE-2020-5275: Firewall configured with unanimous strategy was not actually unanimous in symfony/security-http
First published: Mon Mar 30 2020(Updated: )
CVE-2020-5275: All rules set in "access_control" are required when the firewall is configured with the unanimous strategy
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/security-http | >=4.4.0<4.4.7>=5.0.0<5.0.7 | |
| composer/symfony/security | >=4.4.0<4.4.7 | |
| composer/symfony/symfony | >=4.4.0<4.4.7>=5.0.0<5.0.7 | |
| SensioLabs Symfony | >=4.4.0<4.4.7 | |
| SensioLabs Symfony | >=5.0.0<5.0.7 | |
| composer/symfony/symfony | >=5.0.0<5.0.7 | 5.0.7 |
| composer/symfony/symfony | >=4.4.0<4.4.7 | 4.4.7 |
| composer/symfony/security-http | >=5.0.0<5.0.7 | 5.0.7 |
| composer/symfony/security-http | >=4.4.0<4.4.7 | 4.4.7 |
| composer/symfony/security | >=5.0.0<5.0.7 | 5.0.7 |
| composer/symfony/security | >=4.4.0<4.4.7 | 4.4.7 |
| >=4.4.0<4.4.7 | ||
| >=5.0.0<5.0.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://symfony.com/cve-2020-5275
- https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf
- https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/
- https://nvd.nist.gov/vuln/detail/CVE-2020-5275
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2020-5275.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2020-5275.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5275.yaml
- https://github.com/advisories/GHSA-g4m9-5hpf-hx72 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/
Frequently Asked Questions
What is CVE-2020-5275?
CVE-2020-5275 is a vulnerability in the symfony/security-http package before versions 4.4.7 and 5.0.7.
How does CVE-2020-5275 impact the firewall configuration?
CVE-2020-5275 affects the firewall configuration in Symfony, where it stops checking access control rules as soon as access is granted on an attribute, potentially allowing unauthorized access.
What is the severity level of CVE-2020-5275?
CVE-2020-5275 has a high severity level with a CVSS score of 8.1.
How can I fix CVE-2020-5275?
To fix CVE-2020-5275, you should update the affected symfony/security-http package to version 4.4.7 or 5.0.7.
Where can I find more information about CVE-2020-5275?
You can find more information about CVE-2020-5275 on the Symfony website and the relevant GitHub commits and advisories.
- collector/friends-of-php
- collector/nvd-index
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-g4m9-5hpf-hx72
- alias/CVE-2020-5275
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/description
- agent/references
- agent/author
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/tags
- agent/event
- package-manager/composer
- vendor/sensiolabs
- canonical/sensiolabs symfony
- version/sensiolabs symfony/4.4.0
- version/sensiolabs symfony/5.0.0