Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/46351?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46351?format=api", "vulnerability_id": "VCID-2ts3-y5j2-vufe", "summary": "Authentication granted to all firewalls instead of just one\nDescription\n-----------\n\nWhen an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is available to all other firewalls. This can be abused when the application defines different providers for different parts of an application. In such a situation, a user authenticated on one part of the application is considered authenticated on the whole application.\n\nResolution\n----------\n\nWe now ensure that the authenticated token is only available for the firewall that generates it.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728) for branch 5.3.\n\nCredits\n-------\n\nI would like to thank Bogdan, gndk, Paweł Warchoł, Warxcell, and Adrien Lamotte for reporting the issue and Wouter J for fixing the issue.", "aliases": [ { "alias": "CVE-2021-32693" }, { "alias": "GHSA-rfcf-m67m-jcrq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/76742?format=api", "purl": "pkg:composer/symfony/security-http@5.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-kqcd-f4vt-r7g8" }, { "vulnerability": "VCID-n3d2-zwve-gbf5" }, { "vulnerability": "VCID-sbsb-u8u5-4bcm" }, { "vulnerability": "VCID-v4rq-bsry-puct" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@5.3.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/252868?format=api", "purl": "pkg:composer/symfony/security-http@6.1.0-RC1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-sbsb-u8u5-4bcm" }, { "vulnerability": "VCID-v4rq-bsry-puct" }, { "vulnerability": "VCID-znfv-ngqc-fudw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@6.1.0-RC1" }, { "url": "http://public2.vulnerablecode.io/api/packages/76743?format=api", "purl": "pkg:composer/symfony/symfony@5.3.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4num-z8cg-83gt" }, { "vulnerability": "VCID-8kq8-2mv9-s3ad" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-c8ar-82sr-fqej" }, { "vulnerability": "VCID-en6a-wp7q-fbfs" }, { "vulnerability": "VCID-j2su-wjra-tbh1" }, { "vulnerability": "VCID-kgu6-gj5d-7bfx" }, { "vulnerability": "VCID-kqcd-f4vt-r7g8" }, { "vulnerability": "VCID-n3d2-zwve-gbf5" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-qwcj-hq3g-2qd7" }, { "vulnerability": "VCID-rgh3-ef8t-k3ec" }, { "vulnerability": "VCID-thtp-ehsj-t3ej" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.3.2" }, { "url": "http://public2.vulnerablecode.io/api/packages/940346?format=api", "purl": "pkg:deb/debian/symfony@0?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@0%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/940343?format=api", "purl": "pkg:deb/debian/symfony@4.4.19%2Bdfsg-2%2Bdeb11u6?distro=trixie", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-p1dw-w76f-gbfv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@4.4.19%252Bdfsg-2%252Bdeb11u6%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/940341?format=api", "purl": "pkg:deb/debian/symfony@5.4.23%2Bdfsg-1%2Bdeb12u5?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@5.4.23%252Bdfsg-1%252Bdeb12u5%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/940345?format=api", "purl": "pkg:deb/debian/symfony@6.4.21%2Bdfsg-2%2Bdeb13u1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@6.4.21%252Bdfsg-2%252Bdeb13u1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/940344?format=api", "purl": "pkg:deb/debian/symfony@7.4.7%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@7.4.7%252Bdfsg-1%3Fdistro=trixie" }, { "url": "http://public2.vulnerablecode.io/api/packages/1000493?format=api", "purl": "pkg:deb/debian/symfony@7.4.8%2Bdfsg-1?distro=trixie", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@7.4.8%252Bdfsg-1%3Fdistro=trixie" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/41910?format=api", "purl": "pkg:composer/symfony/security-http@5.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ts3-y5j2-vufe" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-kqcd-f4vt-r7g8" }, { "vulnerability": "VCID-n3d2-zwve-gbf5" }, { "vulnerability": "VCID-sbsb-u8u5-4bcm" }, { "vulnerability": "VCID-v4rq-bsry-puct" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@5.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/252867?format=api", "purl": "pkg:composer/symfony/security-http@5.3.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ts3-y5j2-vufe" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-kqcd-f4vt-r7g8" }, { "vulnerability": "VCID-n3d2-zwve-gbf5" }, { "vulnerability": "VCID-sbsb-u8u5-4bcm" }, { "vulnerability": "VCID-v4rq-bsry-puct" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@5.3.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/41920?format=api", "purl": "pkg:composer/symfony/symfony@5.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-2ts3-y5j2-vufe" }, { "vulnerability": "VCID-4num-z8cg-83gt" }, { "vulnerability": "VCID-8kq8-2mv9-s3ad" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-c8ar-82sr-fqej" }, { "vulnerability": "VCID-en6a-wp7q-fbfs" }, { "vulnerability": "VCID-j2su-wjra-tbh1" }, { "vulnerability": "VCID-kgu6-gj5d-7bfx" }, { "vulnerability": "VCID-kqcd-f4vt-r7g8" }, { "vulnerability": "VCID-n3d2-zwve-gbf5" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-qwcj-hq3g-2qd7" }, { "vulnerability": "VCID-rgh3-ef8t-k3ec" }, { "vulnerability": "VCID-thtp-ehsj-t3ej" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.3.0" } ], "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32693", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67825", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67813", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67777", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67811", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67736", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67703", "published_at": "2026-04-01T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67756", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67788", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00545", "scoring_system": "epss", "scoring_elements": "0.67802", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2021-32693" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml" }, { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml" }, { "reference_url": "https://github.com/symfony/security-http", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/security-http" }, { "reference_url": "https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129" }, { "reference_url": "https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728" }, { "reference_url": "https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32693", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32693" }, { "reference_url": "https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one" }, { "reference_url": "https://symfony.com/cve-2021-32693", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/cve-2021-32693" }, { "reference_url": "https://github.com/advisories/GHSA-rfcf-m67m-jcrq", "reference_id": "GHSA-rfcf-m67m-jcrq", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rfcf-m67m-jcrq" } ], "weaknesses": [ { "cwe_id": 287, "name": "Improper Authentication", "description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2ts3-y5j2-vufe" }