Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:composer/symfony/security@5.0.0

Type composer

Namespace symfony

Name security

Version 5.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-e71e-d4tr-wqgz

vulnerability_id VCID-e71e-d4tr-wqgz

summary

Prevent user enumeration using Guard or the new Authenticator-based Security
Description
-----------

The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user.

Resolution
----------

We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4.

Credits
-------

I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-21424

reference_id

reference_type

scores

value	0.00266
scoring_system	epss
scoring_elements	0.50017
published_at	2026-04-01T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50084
published_at	2026-04-21T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50113
published_at	2026-04-18T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50112
published_at	2026-04-16T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50068
published_at	2026-04-13T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50072
published_at	2026-04-12T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50098
published_at	2026-04-11T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50081
published_at	2026-04-09T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50088
published_at	2026-04-08T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50033
published_at	2026-04-07T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50083
published_at	2026-04-04T12:55:00Z

value	0.00266
scoring_system	epss
scoring_elements	0.50055
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-21424

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21424
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21424

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/lexik/jwt-authentication-bundle/CVE-2021-21424.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/lexik/jwt-authentication-bundle/CVE-2021-21424.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/maker-bundle/CVE-2021-21424.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/maker-bundle/CVE-2021-21424.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2021-21424.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2021-21424.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-guard/CVE-2021-21424.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-guard/CVE-2021-21424.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-21424.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-21424.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-21424.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-21424.yaml

reference_url

https://github.com/symfony/symfony

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony

reference_url

https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011

reference_url

https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68

reference_url

https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-21424

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-21424

reference_url

https://symfony.com/cve-2021-21424

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://symfony.com/cve-2021-21424

reference_url

https://github.com/advisories/GHSA-5pv8-ppvj-4h68

reference_id

GHSA-5pv8-ppvj-4h68

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5pv8-ppvj-4h68

reference_url	https://usn.ubuntu.com/USN-5290-1/
reference_id	USN-USN-5290-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5290-1/

fixed_packages

url	pkg:composer/symfony/security@5.2.8
purl	pkg:composer/symfony/security@5.2.8
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security@5.2.8

aliases CVE-2021-21424, GHSA-5pv8-ppvj-4h68

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e71e-d4tr-wqgz

url VCID-grxm-dpcv-37d9

vulnerability_id VCID-grxm-dpcv-37d9

summary

Firewall configured with unanimous strategy was not actually unanimous in Symfony
Description
-----------

On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access.

As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute.

Resolution
----------

The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. 

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch.

Credits
-------

I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-5275

reference_id

reference_type

scores

value	0.00274
scoring_system	epss
scoring_elements	0.50739
published_at	2026-04-02T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50801
published_at	2026-04-21T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50822
published_at	2026-04-18T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50777
published_at	2026-04-13T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50793
published_at	2026-04-12T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50816
published_at	2026-04-16T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50773
published_at	2026-04-09T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50776
published_at	2026-04-08T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50721
published_at	2026-04-07T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50685
published_at	2026-04-01T12:55:00Z

value	0.00274
scoring_system	epss
scoring_elements	0.50764
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-5275

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5275
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5275

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2020-5275.yaml

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2020-5275.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2020-5275.yaml

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2020-5275.yaml

reference_url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5275.yaml

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2020-5275.yaml

reference_url

https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf

reference_url

https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/symfony/symfony/security/advisories/GHSA-g4m9-5hpf-hx72

reference_url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/C36JLPHUPKDFAX6D5WYFC4ALO2K7RDUQ/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-5275

reference_id

reference_type

scores

value	5.5
scoring_system	cvssv2
scoring_elements	AV:N/AC:L/Au:S/C:P/I:P/A:N

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-5275

reference_url

https://symfony.com/cve-2020-5275

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://symfony.com/cve-2020-5275

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961415
reference_id	961415
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961415

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony::::::::
reference_id	cpe:2.3:a:sensiolabs:symfony::::::::
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony::::::::

reference_url

https://github.com/advisories/GHSA-g4m9-5hpf-hx72

reference_id

GHSA-g4m9-5hpf-hx72

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g4m9-5hpf-hx72

fixed_packages

url	pkg:composer/symfony/security@5.0.7
purl	pkg:composer/symfony/security@5.0.7
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security@5.0.7

aliases CVE-2020-5275, GHSA-g4m9-5hpf-hx72

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-grxm-dpcv-37d9

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security@5.0.0

Package Instance