Candidate: CVE-2020-5275
PublicDate: 2020-03-30 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5275
 https://symfony.com/blog/cve-2020-5275-all-access-control-rules-are-required-when-a-firewall-uses-the-unanimous-strategy
 https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf
 https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72
Description:
 In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall`
 checks access control rule, it iterate overs each rule's attributes and
 stops as soon as the accessDecisionManager decides to grant access on the
 attribute, preventing the check of next attributes that should have been
 take into account in an unanimous strategy. The accessDecisionManager is
 now called with all attributes at once, allowing the unanimous strategy
 being applied on each attribute. This issue is patched in versions 4.4.7
 and 5.0.7.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N [8.1 HIGH]


Patches_symfony:
 upstream: https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf
upstream_symfony: released (4.4.7 and 5.0.7)
precise/esm_symfony: DNE
trusty_symfony: ignored (out of standard support)
trusty/esm_symfony: DNE
xenial_symfony: ignored (end of standard support, was needs-triage)
bionic_symfony: not-affected (code not present)
eoan_symfony: ignored (reached end-of-life)
focal_symfony: not-affected (code not present)
groovy_symfony: not-affected (4.4.8-1)
hirsute_symfony: not-affected (4.4.8-1)
impish_symfony: not-affected (4.4.8-1)
jammy_symfony: not-affected (4.4.8-1)
devel_symfony: not-affected (4.4.8-1)