Affected versions¶ Symfony >= 5.3.0, <5.3.2 versions of the Symfony Security HTTP component is affected by this security issue. The issue has been fixed in Symfony 5.3.2. Description¶ When an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is available to all other firewalls. This can be abused when the application defines different providers for different parts of an application. In such a situation, a user authenticated on one part of the application is considered authenticated on the whole application. We now ensure that the authenticated token is only available for the firewall that generates it. The patch for this issue is available here for branch 5.3. Credits¶ I would like to thank Bogdan, gndk, Paweł Warchoł, Warxcell, and Adrien Lamotte for reporting the issue and Wouter J for fixing the issue.
Sponsor the Symfony project.Login to add comment
Other posts in this group
SymfonyOnline June 2025 is almost here, starting in almost 2 months on:
June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe
Symfony's Messenger component makes it easy to build message-driven applications. However, developers using symfony/amqp-messenger have long faced a limitation: it relies on polling (get()), which can
SymfonyLive Berlin 2025 took place just 3 weeks ago!
A huge thank you to everyone who joined us!🔥 The conference brought together the local Symfony community in the heart of Berlin for two da
Contributed by Hubert Lenoir in
SymfonyOnline June 2025 is almost here, starting in almost 2 months on:
June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe
Contributed by Kévin Dunglas in
SymfonyOnline June 2025 is almost here, starting in almost 2 months on:
June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe
