Miggo Logo

CVE-2020-5275: Firewall configured with unanimous strategy was not actually unanimous in Symfony

7.6

CVSS Score
3.1

Basic Information

EPSS Score
0.50525%
Published
3/30/2020
Updated
2/5/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
symfony/securitycomposer>= 4.4.0, < 4.4.74.4.7
symfony/securitycomposer>= 5.0.0, < 5.0.75.0.7
symfony/security-httpcomposer>= 4.4.0, < 4.4.74.4.7
symfony/security-httpcomposer>= 5.0.0, < 5.0.75.0.7
symfony/symfonycomposer>= 4.4.0, < 4.4.74.4.7
symfony/symfonycomposer>= 5.0.0, < 5.0.75.0.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how AccessListener's handle() method looped through security attributes and called AccessDecisionManager::decide() for each attribute individually. This bypassed the unanimous strategy's requirement that all attributes must grant access. The commit diff shows the loop was removed, and decide() was instead called with all attributes at once. Both methods are directly involved in the flawed logic: handle() for the incorrect iteration, and decide() for not processing all attributes collectively in this context.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ription ----------- On Sym*ony ***or* *.*.*, w**n * `*ir*w*ll` ****ks *n ****ss *ontrol rul* (usin* t** un*nimous str*t**y), it it*r*t*s ov*r *ll rul* *ttri*ut*s *n* *r*nt ****ss only i* **ll* **lls to t** `****ss***isionM*n***r` ***i** to *r*nt

Reasoning

T** vuln*r**ility st*mm** *rom *ow `****ssList*n*r`'s `**n*l*()` m*t*o* loop** t*rou** s**urity *ttri*ut*s *n* **ll** `****ss***isionM*n***r::***i**()` *or **** *ttri*ut* in*ivi*u*lly. T*is *yp*ss** t** un*nimous str*t**y's r*quir*m*nt t**t *ll *ttri