An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1xOGo3LWZqaDctMjV2Nc3gFg

Symfony collectionCascaded and collectionCascadedDeeply fields security bypass

When using the Validator component, if Symfony\\Component\\Validator\\Mapping\\Cache\\ApcCache is enabled (or any other cache implementing Symfony\\Component\\Validator\\Mapping\\Cache\\CacheInterface), some information is lost during serialization (the collectionCascaded and the collectionCascadedDeeply fields).

As a consequence, arrays or traversable objects stored in fields using the @Valid constraint are not traversed by the validator as soon as the validator configuration is loaded from the cache.

Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: 2 months ago

CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Identifiers: GHSA-q8j7-fjh7-25v5, CVE-2013-4751

Affected Packages

Versions: >= 2.3.0, < 2.3.3, >= 2.2.0, < 2.2.5, >= 2.1.0, < 2.1.12, >= 2.0.0, < 2.0.24
Fixed in: 2.3.3, 2.2.5, 2.1.12, 2.0.24