CVE-2020-5275: Incorrect Authorization

March 30, 2020 (updated April 9, 2020)

In symfony/security-http, when a Firewall checks access control rule, it iterates overs each rule’s attributes and stops as soon as the accessDecisionManager decides to grant access on the attribute, preventing the check of next attributes that should have been take into account in a unanimous strategy. The accessDecisionManager is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute.

References

nvd.nist.gov/vuln/detail/CVE-2020-5275

Code Behaviors & Features

Detect and mitigate CVE-2020-5275 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →