PT-2020-18364 · Symfony · Symfony+1
Luka Sikic
·
Published
2020-03-30
·
Updated
2024-03-06
·
CVE-2020-5274
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Symfony versions prior to 4.4.5 and 5.0.5
symfony/http-foundation versions prior to 4.4.5 and 5.0.5
Description
The issue arises from the
ErrorHandler rendering unescaped properties of the Exception class when displaying the stacktrace, which was also visible in non-debug configurations. This has been resolved by ensuring the ErrorHandler escapes all properties from the Exception and only displays the stacktrace in debug configurations.Recommendations
For Symfony versions prior to 4.4.5, update to version 4.4.5 or later.
For Symfony versions prior to 5.0.5, update to version 5.0.5 or later.
As a temporary workaround, consider configuring the environment to debug mode only when necessary to minimize the risk of exploitation.
Exploit
Fix
Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Symfony
Symfony Httpfoundation