Affected versions¶ Symfony >= 5.3.0, <5.3.2 versions of the Symfony Security HTTP component is affected by this security issue. The issue has been fixed in Symfony 5.3.2. Description¶ When an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is available to all other firewalls. This can be abused when the application defines different providers for different parts of an application. In such a situation, a user authenticated on one part of the application is considered authenticated on the whole application. We now ensure that the authenticated token is only available for the firewall that generates it. The patch for this issue is available here for branch 5.3. Credits¶ I would like to thank Bogdan, gndk, Paweł Warchoł, Warxcell, and Adrien Lamotte for reporting the issue and Wouter J for fixing the issue.
Sponsor the Symfony project.
Connectez-vous pour ajouter un commentaire
Autres messages de ce groupe

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:
June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

Symfony's Messenger component makes it easy to build message-driven applications. However, developers using symfony/amqp-messenger have long faced a limitation: it relies on polling (get()), which can

SymfonyLive Berlin 2025 took place just 3 weeks ago!
A huge thank you to everyone who joined us!🔥 The conference brought together the local Symfony community in the heart of Berlin for two da

Contributed by Hubert Lenoir in

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:
June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

Contributed by Kévin Dunglas in

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:
June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe