VulnerableCode Package Details - pkg:deb/debian/symfony@4.4.8-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-grxm-dpcv-37d9	Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if all calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.	CVE-2020-5275 GHSA-g4m9-5hpf-hx72
VCID-pgk7-bnxx-ckeq	Prevent cache poisoning via a Response Content-Type header in Symfony Description ----------- When a `Response` does not contain a `Content-Type` header, Symfony falls back to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one. Resolution ---------- Symfony does not use the `Accept` header anymore to guess the `Content-Type`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6) for the 4.4 branch. Credits ------- I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.	CVE-2020-5255 GHSA-mcx4-f5f5-4859
VCID-ugce-e42m-1fgj	Exceptions displayed in non-debug configurations in Symfony Description ----------- When `ErrorHandler` renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-`debug` environments. Resolution ---------- The `ErrorHandler` class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-`debug` environments. The patches for this issue are available [here](https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad) and [here](https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db) for branch 4.4. Credits ------- I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.	CVE-2020-5274 GHSA-m884-279h-32v2

Vulnerability

Summary

Aliases

VCID-grxm-dpcv-37d9

Firewall configured with unanimous strategy was not actually unanimous in Symfony Description ----------- On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents the check of attributes as soon as `accessDecisionManager` decide to grant access on one attribute. Resolution ---------- The `accessDecisionManager` is now called with all attributes at once, allowing the unanimous strategy being applied on each attribute. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/c935e4a3fba6cc2ab463a6ca382858068d63cebf) for the 4.4 branch. Credits ------- I would like to thank Antonio J. García Lagar for reporting & Robin Chalas for fixing the issue.

CVE-2020-5275
GHSA-g4m9-5hpf-hx72

VCID-pgk7-bnxx-ckeq

Prevent cache poisoning via a Response Content-Type header in Symfony Description ----------- When a `Response` does not contain a `Content-Type` header, Symfony falls back to the format defined in the `Accept` header of the request, leading to a possible mismatch between the response's content and `Content-Type` header. When the response is cached, this can lead to a corrupted cache where the cached format is not the right one. Resolution ---------- Symfony does not use the `Accept` header anymore to guess the `Content-Type`. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/dca343442e6a954f96a2609e7b4e9c21ed6d74e6) for the 4.4 branch. Credits ------- I would like to thank Xavier Lacot from JoliCode for reporting & Yonel Ceruto and Tobias Schultze for fixing the issue.

CVE-2020-5255
GHSA-mcx4-f5f5-4859

VCID-ugce-e42m-1fgj

Exceptions displayed in non-debug configurations in Symfony Description ----------- When `ErrorHandler` renders an exception HTML page, it uses un-escaped properties from the related Exception class to render the stacktrace. The security issue comes from the fact that the stacktraces were also displayed in non-`debug` environments. Resolution ---------- The `ErrorHandler` class now escapes all properties coming from the related Exception, and the stacktrace is not displayed anymore in non-`debug` environments. The patches for this issue are available [here](https://github.com/symfony/symfony/commit/cf80224589ac05402d4f72f5ddf80900ec94d5ad) and [here](https://github.com/symfony/symfony/commit/629d21b800a15dc649fb0ae9ed7cd9211e7e45db) for branch 4.4. Credits ------- I would like to thank Luka Sikic for reporting & Yonel Ceruto and Jérémy Derussé for fixing the issue.

CVE-2020-5274
GHSA-m884-279h-32v2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:07:24.695493+00:00	Debian Importer	Fixing	VCID-pgk7-bnxx-ckeq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:21:35.454293+00:00	Debian Importer	Fixing	VCID-ugce-e42m-1fgj	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:06:15.816237+00:00	Debian Importer	Fixing	VCID-grxm-dpcv-37d9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:17:22.692468+00:00	Debian Importer	Fixing	VCID-pgk7-bnxx-ckeq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:58:38.898062+00:00	Debian Importer	Fixing	VCID-ugce-e42m-1fgj	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:47:02.012889+00:00	Debian Importer	Fixing	VCID-grxm-dpcv-37d9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:53:42.671542+00:00	Debian Importer	Fixing	VCID-grxm-dpcv-37d9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:53:42.624228+00:00	Debian Importer	Fixing	VCID-ugce-e42m-1fgj	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:53:42.576994+00:00	Debian Importer	Fixing	VCID-pgk7-bnxx-ckeq	https://security-tracker.debian.org/tracker/data/json	38.1.0