CVE-2012-6431

Description

On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in. Both the Routing component and the Security component uses the path returned by `getPathInfo()` to match a Request. The `getPathInfo()` returns a decoded path, but the Routing component (`Symfony\Component\Routing\Matcher\UrlMatcher`) decodes the path a second time; whereas the Security component, `Symfony\Component\HttpFoundation\RequestMatcher`, does not. This difference causes Symfony 2.0 to be vulnerable to double encoding attacks.

How to fix CVE-2012-6431

To remediate CVE-2012-6431, upgrade the affected package to a fixed version below.

• —upgrade to 2.0.19 or later
• —upgrade to 2.0.19 or later
• —upgrade to 2.0.19 or later
• —upgrade to 2.0.19 or later

Is CVE-2012-6431 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 2.0.0, < 2.0.19
• >= 2.0.0, < 2.0.19
• >= 2.0.0, < 2.0.19
• >= 2.0.0, < 2.0.19

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6431
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2012-6431.yaml
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/routing/CVE-2012-6431.yaml
• WEBgithub.com