CVE-2012-6432

Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring.

Published Bycve@mitre.org

Published DateDec 27, 2012, 11:47

Affected Versions(3)

symfony/symfony(Packagist)

IntroducedN/A

FixedN/A

LimitN/A

symfony/symfony(Packagist)

Introduced2.0.0

Fixed2.0.20

LimitN/A

symfony/symfony(Packagist)

Introduced2.1.0

Fixed2.1.5

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
symfony/symfony(Packagist)	N/A	N/A	N/A
symfony/symfony(Packagist)	2.0.0	2.0.20	N/A
symfony/symfony(Packagist)	2.1.0	2.1.5	N/A

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL

References

http://symfony.com/blog/security-release-symfony-2-0-20-and-2-1-5-released

Weakness Type (CWE):CWE-264

CVSS Metrics

Base Score

6.8

Vector String

AV:N/AC:M/Au:N/C:P/I:P/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

PARTIAL

Integrity (I)

PARTIAL

Availability (A)

PARTIAL