A vulnerability was found in Symfony up to 4.4.4/5.0.4. It has been declared as problematic. This vulnerability affects an unknown functionality of the component Exception Handler. The manipulation with an unknown input leads to a information exposure vulnerability. The CWE definition for the vulnerability is CWE-209. The product generates an error message that includes sensitive information about its environment, users, or associated data. As an impact it is known to affect confidentiality, and integrity. CVE summarizes:

In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5

The weakness was published 03/30/2020 (GitHub Repository). The advisory is shared for download at github.com. This vulnerability was named CVE-2020-5274 since 01/02/2020. The attack can be initiated remotely. The successful exploitation needs a single authentication. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1592.

Upgrading to version 4.4.5 or 5.0.5 eliminates this vulnerability.

Similar entry is available at 152439.

Productinfo

Name

• Symfony

Version

• 4.4.0
• 4.4.1
• 4.4.2
• 4.4.3
• 4.4.4
• 5.0.0
• 5.0.1
• 5.0.2
• 5.0.3
• 5.0.4

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion