CVE-2012-6431

Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.

Published Bycve@mitre.org

Published DateDec 27, 2012, 11:47

Affected Versions(4)

symfony/http-foundation(Packagist)

Introduced2.0.0

Fixed2.0.19

LimitN/A

symfony/routing(Packagist)

Introduced2.0.0

Fixed2.0.19

LimitN/A

symfony/security(Packagist)

Introduced2.0.0

Fixed2.0.19

LimitN/A

symfony/symfony(Packagist)

Introduced2.0.0

Fixed2.0.19

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
symfony/http-foundation(Packagist)	2.0.0	2.0.19	N/A
symfony/routing(Packagist)	2.0.0	2.0.19	N/A
symfony/security(Packagist)	2.0.0	2.0.19	N/A
symfony/symfony(Packagist)	2.0.0	2.0.19	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

6.4

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE

References

http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

6.4

Vector String

AV:N/AC:L/Au:N/C:P/I:P/A:N

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

NONE