Chalasr

**Name of the Vulnerable Software and Affected Versions** Symfony versions prior to 3.4 **Description** The issue is related to information disclosure, allowing a remote attacker to gain unauthorized access to protected information. The vulnerability is caused by the ability to enumerate users without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. Additionally, it was possible to enumerate users by using a timing attack, comparing the time elapsed when authenticating an existing user and a non-existing user. **Recommendations** For Symfony versions prior to 3.4, the patch for this issue is available for branch 3.4, ensuring that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. As a temporary workaround, consider restricting access to the switch users functionality until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** symfony/security-http versions 4.4.0 through 4.4.6 symfony/security-http versions 5.0.0 through 5.0.6 **Description** The issue arises when a `Firewall` checks access control rules using the unanimous strategy. In affected versions, the `Firewall` iterates over each rule's attributes and stops as soon as the `accessDecisionManager` decides to grant access on an attribute. This prevents the check of next attributes that should have been taken into account in the unanimous strategy. The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy to be applied on each attribute. **Recommendations** For symfony/security-http versions 4.4.0 through 4.4.6, update to version 4.4.7 to resolve the issue. For symfony/security-http versions 5.0.0 through 5.0.6, update to version 5.0.7 to resolve the issue.