CVE-2020-5275

Name of the Vulnerable Software and Affected Versions symfony/security-http versions 4.4.0 through 4.4.6 symfony/security-http versions 5.0.0 through 5.0.6

Description The issue arises when a Firewall checks access control rules using the unanimous strategy. In affected versions, the Firewall iterates over each rule's attributes and stops as soon as the accessDecisionManager decides to grant access on an attribute. This prevents the check of next attributes that should have been taken into account in the unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy to be applied on each attribute.

Recommendations For symfony/security-http versions 4.4.0 through 4.4.6, update to version 4.4.7 to resolve the issue. For symfony/security-http versions 5.0.0 through 5.0.6, update to version 5.0.7 to resolve the issue.