{"containers": {"cna": {"affected": [{"product": "symfony", "vendor": "symfony", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.4.5"}, {"status": "affected", "version": ">= 5.0.0, < 5.0.5"}]}], "descriptions": [{"lang": "en", "value": "In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209: Generation of Error Message Containing Sensitive Information", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-03-30T19:40:14.000Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad"}], "source": {"advisory": "GHSA-m884-279h-32v2", "discovery": "UNKNOWN"}, "title": "Exceptions displayed in non-debug configurations in Symfony", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-5274", "STATE": "PUBLIC", "TITLE": "Exceptions displayed in non-debug configurations in Symfony"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "symfony", "version": {"version_data": [{"version_value": ">= 4.0.0, < 4.4.5"}, {"version_value": ">= 5.0.0, < 5.0.5"}]}}]}, "vendor_name": "symfony"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5"}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209: Generation of Error Message Containing Sensitive Information"}]}]}, "references": {"reference_data": [{"name": "https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2", "refsource": "CONFIRM", "url": "https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2"}, {"name": "https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db", "refsource": "MISC", "url": "https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db"}, {"name": "https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad", "refsource": "MISC", "url": "https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad"}]}, "source": {"advisory": "GHSA-m884-279h-32v2", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T08:22:09.100Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-5274", "datePublished": "2020-03-30T19:40:14.000Z", "dateReserved": "2020-01-02T00:00:00.000Z", "dateUpdated": "2024-08-04T08:22:09.100Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "A736C1DC-7AB3-4406-ABD8-60C143F225E4", "versionEndExcluding": "4.4.4", "versionStartIncluding": "4.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "03FB6307-56EA-4047-ABE0-4658CD8358FB", "versionEndExcluding": "5.0.4", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In Symfony before versions 5.0.5 and 4.4.5, some properties of the Exception were not properly escaped when the `ErrorHandler` rendered it stacktrace. In addition, the stacktrace were displayed even in a non-debug configuration. The ErrorHandler now escape alls properties of the exception, and the stacktrace is only display in debug configuration. This issue is patched in symfony/http-foundation versions 4.4.5 and 5.0.5"}, {"lang": "es", "value": "En Symfony versiones anteriores a 5.0.5 y 4.4.5, algunas propiedades de la Excepci\u00f3n no fueron escapados apropiadamente cuando el \"ErrorHandler\" la renderiz\u00f3 en stacktrace. Adem\u00e1s, el stacktrace fue desplegado incluso en una configuraci\u00f3n sin depuraci\u00f3n. ErrorHandler ahora escapa de todas las propiedades de la excepci\u00f3n, y el stacktrace se muestra solo en la configuraci\u00f3n de depuraci\u00f3n. Este problema est\u00e1 parcheado en Symfony/http-foundation versiones 4.4.5 y 5.0.5."}], "id": "CVE-2020-5274", "lastModified": "2024-11-21T05:33:48.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-30T20:15:19.633", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db"}, {"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-m884-279h-32v2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}