Candidate: CVE-2020-5274
PublicDate: 2020-03-30 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5274
 https://symfony.com/blog/cve-2020-5274-fix-exception-message-escaping-rendered-by-errorhandler
 https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad
 https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db
 https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2
Description:
 In Symfony before versions 5.0.5 and 4.4.5, some properties of the
 Exception were not properly escaped when the `ErrorHandler` rendered it
 stacktrace. In addition, the stacktrace were displayed even in a non-debug
 configuration. The ErrorHandler now escape alls properties of the
 exception, and the stacktrace is only display in debug configuration. This
 issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N [5.4 MEDIUM]


Patches_symfony:
 upstream: https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad
 upstream: https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db
upstream_symfony: released (4.4.5 and 5.0.5)
precise/esm_symfony: DNE
trusty_symfony: ignored (out of standard support)
trusty/esm_symfony: DNE
xenial_symfony: ignored (end of standard support, was needs-triage)
bionic_symfony: not-affected (code not present)
eoan_symfony: ignored (reached end-of-life)
focal_symfony: not-affected (code not present)
groovy_symfony: not-affected (4.4.8-1)
hirsute_symfony: not-affected (4.4.8-1)
impish_symfony: not-affected (4.4.8-1)
jammy_symfony: not-affected (4.4.8-1)
devel_symfony: not-affected (4.4.8-1)