SB2020033141 - Fedora 32 update for php-symfony4

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020033141

SB2020033141 - Fedora 32 update for php-symfony4

Published: March 31, 2020 Updated: April 25, 2025

Security Bulletin ID SB2020033141
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2020-5255)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Symfony sets the default Content-Type header based on received Accept header. A remote attacker can pass specially crafted HTTP request and force the application to cache an empty response, leading to denial of service condition.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-5275)

The vulnerability allows a remote attacker to bypass implemented security measures.

The vulnerability exists due to a logical error when processing configured firewall rules in an unanimous configuration in Symfony. When a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy.

A remote attacker can bypass configured rules and gain unauthorized access to the web application.


Remediation

Install update from vendor's website.

References