An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS04M2MzLXF4MjctMnJ3cs4AAfXs
Symfony Allows URI Restrictions Bypass Via Double-Encoded String
On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in.
Both the Routing component and the Security component uses the path returned by
getPathInfo() to match a Request. The
getPathInfo() returns a decoded path, but the Routing component (
Symfony\Component\Routing\Matcher\UrlMatcher) decodes the path a second time; whereas the Security component,
Symfony\Component\HttpFoundation\RequestMatcher, does not.
This difference causes Symfony 2.0 to be vulnerable to double encoding attacks.Permalink: https://github.com/advisories/GHSA-83c3-qx27-2rwr
Source: GitHub Advisory Database
Published: over 1 year ago
Updated: 2 months ago
Identifiers: GHSA-83c3-qx27-2rwr, CVE-2012-6431
Fixed in: 2.0.20