Skip to content

Exceptions displayed in non-debug configurations in Symfony

Moderate severity GitHub Reviewed Published Mar 30, 2020 in symfony/symfony • Updated Feb 6, 2024

Package

composer symfony/error-handler (Composer)

Affected versions

>= 4.4.0, < 4.4.4
>= 5.0.0, < 5.0.4

Patched versions

4.4.4
5.0.4
composer symfony/symfony (Composer)
>= 4.4.0, < 4.4.4
>= 5.0.0, < 5.0.4
4.4.4
5.0.4

Description

Description

When ErrorHandler renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-debug environments.

Resolution

The ErrorHandler class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-debug environments.

The patches for this issue are available here and here for branch 4.4.

Credits

I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.

References

@nicolas-grekas nicolas-grekas published to symfony/symfony Mar 30, 2020
Reviewed Mar 30, 2020
Published to the GitHub Advisory Database Mar 30, 2020
Last updated Feb 6, 2024

Severity

Moderate
4.6
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Weaknesses

CVE ID

CVE-2020-5274

GHSA ID

GHSA-m884-279h-32v2

Source code

No known source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.