NVD Vulnerability Detail

CVE-2021-32693

Summary	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. A vulnerability related to firewall authentication is in Symfony starting with version 5.3.0 and prior to 5.3.2. When an application defines multiple firewalls, the token authenticated by one of the firewalls was available for all other firewalls. This could be abused when the application defines different providers for each part of the application, in such a situation, a user authenticated on a part of the application could be considered authenticated on the rest of the application. Starting in version 5.3.2, a patch ensures that the authenticated token is only available for the firewall that generates it.
Publication Date	June 18, 2021, 8:15 a.m.
Registration Date	June 18, 2021, 10 a.m.
Last Update	Nov. 21, 2024, 3:07 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:sensiolabs:symfony::::::::		5.3.0			5.3.2

Related information, measures and tools

No	URL	タグ
1	https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129	Patch Third Party Advisory
2	https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129	Patch Third Party Advisory
3	https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728	Patch Third Party Advisory
4	https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728	Patch Third Party Advisory
5	https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq	Patch Third Party Advisory
6	https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq	Patch Third Party Advisory
7	https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one	Patch Vendor Advisory
8	https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one	Patch Vendor Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Symfony における認証に関する脆弱性

Title	Symfony における認証に関する脆弱性
Summary	Symfony には、認証に関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 16, 2021, midnight
Registration Date	March 11, 2022, 5:51 p.m.
Last Update	March 11, 2022, 5:51 p.m.

Affected System

Sensio Labs

Symfony 5.3.0

Symfony 5.3.2 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2021-32693	https://www.cve.org/CVERecord?id=CVE-2021-32693
National Vulnerability Database (NVD)
2	CVE-2021-32693	https://nvd.nist.gov/vuln/detail/CVE-2021-32693
Symfony
3	CVE-2021-32693: Authentication granted to all firewalls instead of just one	https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-287	https://jvndb.jvn.jp/ja/cwe/CWE-287.html

ベンダー情報

No	Name	URL
GitHub
1	Authentication granted to all firewalls instead of just one	https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
2	Only trigger for the correct firewall in ContextListener::onKernelResponse()	https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728
3	security #cve-2021-32693 [SecurityHttp] Fix "Authentication granted with multiple firewalls" (wouterj)	https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129

Change Log

No	Changed Details	Date of change
1	[2022年03月11日] 掲載	March 11, 2022, 5:51 p.m.