CVE-2020-5275

Name	CVE-2020-5275
Description	In symfony/security-http before versions 4.4.7 and 5.0.7, when a `Firewall` checks access control rule, it iterate overs each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in an unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. This issue is patched in versions 4.4.7 and 5.0.7.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	961415

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
symfony (PTS)	jessie, jessie (lts)	2.3.21+dfsg-4+deb8u6	fixed
	stretch (security)	2.8.7+dfsg-1.3+deb9u3	fixed
	stretch (lts), stretch	2.8.7+dfsg-1.3+deb9u5	fixed
	buster (security), buster, buster (lts)	3.4.22+dfsg-2+deb10u3	fixed
	bullseye	4.4.19+dfsg-2+deb11u6	fixed
	bookworm	5.4.23+dfsg-1+deb12u2	fixed
	bookworm (security)	5.4.23+dfsg-1+deb12u4	fixed
	sid, trixie	6.4.15+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Debian Bugs
symfony	source	jessie	(not affected)
symfony	source	stretch	(not affected)
symfony	source	buster	(not affected)
symfony	source	(unstable)	4.4.8-1	961415

Notes

[buster] - symfony <not-affected> (Introduced in 4.4.0)
[stretch] - symfony <not-affected> (Introduced in 4.4.0)
[jessie] - symfony <not-affected> (Introduced in 4.4.0)
https://symfony.com/blog/cve-2020-5275-all-access-control-rules-are-required-when-a-firewall-uses-the-unanimous-strategy
https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf