VulnerableCode Package Details - pkg:composer/symfony/security@4.4.1

Search for packages

Vulnerability	Summary	Fixed by
VCID-e71e-d4tr-wqgz Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68	Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.	4.4.23 Affected by 0 other vulnerabilities. 4.4.24 Affected by 0 other vulnerabilities. 5.2.8 Affected by 0 other vulnerabilities.
VCID-grxm-dpcv-37d9 Aliases: CVE-2020-5275 GHSA-g4m9-5hpf-hx72	Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if all calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.	4.4.7 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.4.9 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 5.0.7 Affected by 0 other vulnerabilities.
VCID-txk7-krb1-bqd9 Aliases: CVE-2020-15094 GHSA-754h-5r27-7x3r	RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.	4.4.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-e71e-d4tr-wqgz
Aliases:
CVE-2021-21424
GHSA-5pv8-ppvj-4h68

Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

4.4.23
Affected by 0 other vulnerabilities.

4.4.24
Affected by 0 other vulnerabilities.

5.2.8
Affected by 0 other vulnerabilities.

VCID-grxm-dpcv-37d9
Aliases:
CVE-2020-5275
GHSA-g4m9-5hpf-hx72

Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.

4.4.7
Affected by 2 other vulnerabilities.

4.4.9
Affected by 2 other vulnerabilities.

5.0.7
Affected by 0 other vulnerabilities.

VCID-txk7-krb1-bqd9
Aliases:
CVE-2020-15094
GHSA-754h-5r27-7x3r

RCE in Symfony Description ----------- The `CachingHttpClient` class from the HttpClient Symfony component relies on the `HttpCache` class to handle requests. `HttpCache` uses internal headers like `X-Body-Eval` and `X-Body-File` to control the restoration of cached responses. The class was initially written with surrogate caching and ESI support in mind (all HTTP calls come from a trusted backend in that scenario). But when used by `CachingHttpClient` and if an attacker can control the response for a request being made by the `CachingHttpClient`, remote code execution is possible. Resolution ---------- HTTP headers designed for internal use in `HttpCache` are now stripped from remote responses before being passed to `HttpCache`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d9910e0b33a2e0f993abff41c6fbc86951b66d78) for the 4.4 branch. Credits ------- I would like to thank Matthias Pigulla (webfactory GmbH) for reporting and fixing the issue.

4.4.13
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:22:57.670523+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2021-21424.yml	38.4.0
2026-04-16T21:07:48.914881+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-15094.yml	38.4.0
2026-04-16T21:02:08.869046+00:00	GitLab Importer	Affected by	VCID-grxm-dpcv-37d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-5275.yml	38.4.0
2026-04-11T22:35:36.651183+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2021-21424.yml	38.3.0
2026-04-11T22:19:29.747765+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-15094.yml	38.3.0
2026-04-11T22:13:28.772415+00:00	GitLab Importer	Affected by	VCID-grxm-dpcv-37d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-5275.yml	38.3.0
2026-04-02T22:46:39.888154+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2021-21424.yml	38.1.0
2026-04-02T22:31:29.197775+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-15094.yml	38.1.0
2026-04-02T22:25:49.684261+00:00	GitLab Importer	Affected by	VCID-grxm-dpcv-37d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-5275.yml	38.1.0
2026-04-01T17:04:36.293683+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2021-21424.yml	38.0.0
2026-04-01T16:49:31.108578+00:00	GitLab Importer	Affected by	VCID-txk7-krb1-bqd9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-15094.yml	38.0.0
2026-04-01T16:43:46.504132+00:00	GitLab Importer	Affected by	VCID-grxm-dpcv-37d9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security/CVE-2020-5275.yml	38.0.0