niftycent.com
NiftyCent
US
Login
Marketplace
Discounts

CVE-2021-32693: Authentication granted to all firewalls instead of just one

Affected versions¶ Symfony >= 5.3.0, <5.3.2 versions of the Symfony Security HTTP component is affected by this security issue. The issue has been fixed in Symfony 5.3.2. Description¶ When an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is available to all other firewalls. This can be abused when the application defines different providers for different parts of an application. In such a situation, a user authenticated on one part of the application is considered authenticated on the whole application. We now ensure that the authenticated token is only available for the firewall that generates it. The patch for this issue is available here for branch 5.3. Credits¶ I would like to thank Bogdan, gndk, Paweł Warchoł, Warxcell, and Adrien Lamotte for reporting the issue and Wouter J for fixing the issue.

                Sponsor the Symfony project.

http://feedproxy.google.com/~r/symfony/blog/~3/qkbXuTdSlRU/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one

Created 4y | Jun 17, 2021, 3:20:16 PM


Login to add comment

Other posts in this group

Symfony 2024 Year in Review
Symfony 2024 Year in Review

This blog post highlights the key accomplishments of the Symfony project in 2024. We are grateful for your continuous support, which enabled the Symfony project to achieve a remarkable year.

Releases

Jan 7, 2025, 1:40:05 PM | Symfony
A Week of Symfony #940 (30 December 2024 - 5 January 2025)
A Week of Symfony #940 (30 December 2024 - 5 January 2025)

This week, Symfony 6.4.17, 7.1.10 and 7.2.2 maintenance versions were released. In addition, we published more information about the upcoming SymfonyOnline January 2025 conference.

Symfony developmen

Jan 5, 2025, 10:30:12 AM | Symfony
SymfonyOnline January 2025: Join us in 2 weeks!
SymfonyOnline January 2025: Join us in 2 weeks!

Get ready for the exciting SymfonyOnline January 2025, kicking off shortly on January 16-17! There’s still time to register and join the international online Symfony conference—along with pre-

Jan 2, 2025, 12:50:08 PM | Symfony
Symfony 6.4.17 released
Symfony 6.4.17 released

Symfony 6.4.17 has just been released. Here is the list of the most important changes since 6.4.16:

bug #59304 [PropertyInfo] Remove @internal from PropertyReadInfo and PropertyWriteInfo (Dario G
Dec 31, 2024, 4:50:11 PM | Symfony
Symfony 7.1.10 released
Symfony 7.1.10 released

Symfony 7.1.10 has just been released. Here is the list of the most important changes since 7.1.9:

bug #59304 [PropertyInfo] Remove @internal from PropertyReadInfo and PropertyWriteInfo (Dario Gu
Dec 31, 2024, 4:50:10 PM | Symfony
Symfony 7.2.2 released
Symfony 7.2.2 released

Symfony 7.2.2 has just been released. Here is the list of the most important changes since 7.2.1:

bug #59304 [PropertyInfo] Remove @internal from PropertyReadInfo and PropertyWriteInfo (Dario Gua
Dec 31, 2024, 4:50:10 PM | Symfony
A Week of Symfony #939 (23-29 December 2024)
A Week of Symfony #939 (23-29 December 2024)

This week, we launched the new Twig playground, a tool that lets you test and experiment with Twig features in a safe, sandboxed environment. While Symfony development activity was lighter than usual

Dec 29, 2024, 11:30:09 AM | Symfony
Techie
Techie