Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-2ts3-y5j2-vufe
Summary
Authentication granted to all firewalls instead of just one
Description
-----------

When an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is available to all other firewalls. This can be abused when the application defines different providers for different parts of an application. In such a situation, a user authenticated on one part of the application is considered authenticated on the whole application.

Resolution
----------

We now ensure that the authenticated token is only available for the firewall that generates it.

The patch for this issue is available [here](https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728) for branch 5.3.

Credits
-------

I would like to thank Bogdan, gndk, Paweł Warchoł, Warxcell, and Adrien Lamotte for reporting the issue and Wouter J for fixing the issue.
Aliases
0
alias CVE-2021-32693
1
alias GHSA-rfcf-m67m-jcrq
Fixed_packages
0
url pkg:composer/symfony/security-http@5.3.2
purl pkg:composer/symfony/security-http@5.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bdhj-np35-sybt
1
vulnerability VCID-kqcd-f4vt-r7g8
2
vulnerability VCID-n3d2-zwve-gbf5
3
vulnerability VCID-sbsb-u8u5-4bcm
4
vulnerability VCID-v4rq-bsry-puct
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@5.3.2
1
url pkg:composer/symfony/security-http@6.1.0-RC1
purl pkg:composer/symfony/security-http@6.1.0-RC1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bdhj-np35-sybt
1
vulnerability VCID-sbsb-u8u5-4bcm
2
vulnerability VCID-v4rq-bsry-puct
3
vulnerability VCID-znfv-ngqc-fudw
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@6.1.0-RC1
2
url pkg:composer/symfony/symfony@5.3.2
purl pkg:composer/symfony/symfony@5.3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4num-z8cg-83gt
1
vulnerability VCID-8kq8-2mv9-s3ad
2
vulnerability VCID-9bzz-84cq-ykh2
3
vulnerability VCID-bdhj-np35-sybt
4
vulnerability VCID-c8ar-82sr-fqej
5
vulnerability VCID-en6a-wp7q-fbfs
6
vulnerability VCID-j2su-wjra-tbh1
7
vulnerability VCID-kgu6-gj5d-7bfx
8
vulnerability VCID-kqcd-f4vt-r7g8
9
vulnerability VCID-n3d2-zwve-gbf5
10
vulnerability VCID-p1dw-w76f-gbfv
11
vulnerability VCID-qwcj-hq3g-2qd7
12
vulnerability VCID-rgh3-ef8t-k3ec
13
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.3.2
3
url pkg:deb/debian/symfony@0?distro=trixie
purl pkg:deb/debian/symfony@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@0%3Fdistro=trixie
4
url pkg:deb/debian/symfony@4.4.19%2Bdfsg-2%2Bdeb11u6?distro=trixie
purl pkg:deb/debian/symfony@4.4.19%2Bdfsg-2%2Bdeb11u6?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-p1dw-w76f-gbfv
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@4.4.19%252Bdfsg-2%252Bdeb11u6%3Fdistro=trixie
5
url pkg:deb/debian/symfony@5.4.23%2Bdfsg-1%2Bdeb12u5?distro=trixie
purl pkg:deb/debian/symfony@5.4.23%2Bdfsg-1%2Bdeb12u5?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@5.4.23%252Bdfsg-1%252Bdeb12u5%3Fdistro=trixie
6
url pkg:deb/debian/symfony@6.4.21%2Bdfsg-2%2Bdeb13u1?distro=trixie
purl pkg:deb/debian/symfony@6.4.21%2Bdfsg-2%2Bdeb13u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@6.4.21%252Bdfsg-2%252Bdeb13u1%3Fdistro=trixie
7
url pkg:deb/debian/symfony@7.4.7%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/symfony@7.4.7%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@7.4.7%252Bdfsg-1%3Fdistro=trixie
8
url pkg:deb/debian/symfony@7.4.8%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/symfony@7.4.8%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@7.4.8%252Bdfsg-1%3Fdistro=trixie
9
url pkg:deb/debian/symfony@7.4.9%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/symfony@7.4.9%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@7.4.9%252Bdfsg-1%3Fdistro=trixie
10
url pkg:deb/debian/symfony@7.4.10%2Bdfsg-1?distro=trixie
purl pkg:deb/debian/symfony@7.4.10%2Bdfsg-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/symfony@7.4.10%252Bdfsg-1%3Fdistro=trixie
Affected_packages
0
url pkg:composer/symfony/security-http@5.3.0
purl pkg:composer/symfony/security-http@5.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ts3-y5j2-vufe
1
vulnerability VCID-bdhj-np35-sybt
2
vulnerability VCID-kqcd-f4vt-r7g8
3
vulnerability VCID-n3d2-zwve-gbf5
4
vulnerability VCID-sbsb-u8u5-4bcm
5
vulnerability VCID-v4rq-bsry-puct
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@5.3.0
1
url pkg:composer/symfony/security-http@5.3.1
purl pkg:composer/symfony/security-http@5.3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ts3-y5j2-vufe
1
vulnerability VCID-bdhj-np35-sybt
2
vulnerability VCID-kqcd-f4vt-r7g8
3
vulnerability VCID-n3d2-zwve-gbf5
4
vulnerability VCID-sbsb-u8u5-4bcm
5
vulnerability VCID-v4rq-bsry-puct
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/security-http@5.3.1
2
url pkg:composer/symfony/symfony@5.3.0
purl pkg:composer/symfony/symfony@5.3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-2ts3-y5j2-vufe
1
vulnerability VCID-4num-z8cg-83gt
2
vulnerability VCID-8kq8-2mv9-s3ad
3
vulnerability VCID-9bzz-84cq-ykh2
4
vulnerability VCID-bdhj-np35-sybt
5
vulnerability VCID-c8ar-82sr-fqej
6
vulnerability VCID-en6a-wp7q-fbfs
7
vulnerability VCID-j2su-wjra-tbh1
8
vulnerability VCID-kgu6-gj5d-7bfx
9
vulnerability VCID-kqcd-f4vt-r7g8
10
vulnerability VCID-n3d2-zwve-gbf5
11
vulnerability VCID-p1dw-w76f-gbfv
12
vulnerability VCID-qwcj-hq3g-2qd7
13
vulnerability VCID-rgh3-ef8t-k3ec
14
vulnerability VCID-thtp-ehsj-t3ej
resource_url http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@5.3.0
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2021-32693
reference_id
reference_type
scores
0
value 0.00545
scoring_system epss
scoring_elements 0.67736
published_at 2026-04-07T12:55:00Z
1
value 0.00545
scoring_system epss
scoring_elements 0.6795
published_at 2026-05-14T12:55:00Z
2
value 0.00545
scoring_system epss
scoring_elements 0.67894
published_at 2026-05-12T12:55:00Z
3
value 0.00545
scoring_system epss
scoring_elements 0.67869
published_at 2026-05-11T12:55:00Z
4
value 0.00545
scoring_system epss
scoring_elements 0.679
published_at 2026-05-09T12:55:00Z
5
value 0.00545
scoring_system epss
scoring_elements 0.6786
published_at 2026-05-07T12:55:00Z
6
value 0.00545
scoring_system epss
scoring_elements 0.67817
published_at 2026-05-05T12:55:00Z
7
value 0.00545
scoring_system epss
scoring_elements 0.67841
published_at 2026-04-29T12:55:00Z
8
value 0.00545
scoring_system epss
scoring_elements 0.67837
published_at 2026-04-26T12:55:00Z
9
value 0.00545
scoring_system epss
scoring_elements 0.67827
published_at 2026-04-24T12:55:00Z
10
value 0.00545
scoring_system epss
scoring_elements 0.67807
published_at 2026-04-21T12:55:00Z
11
value 0.00545
scoring_system epss
scoring_elements 0.67826
published_at 2026-04-18T12:55:00Z
12
value 0.00545
scoring_system epss
scoring_elements 0.67813
published_at 2026-04-16T12:55:00Z
13
value 0.00545
scoring_system epss
scoring_elements 0.67777
published_at 2026-04-13T12:55:00Z
14
value 0.00545
scoring_system epss
scoring_elements 0.67811
published_at 2026-04-12T12:55:00Z
15
value 0.00545
scoring_system epss
scoring_elements 0.67825
published_at 2026-04-11T12:55:00Z
16
value 0.00545
scoring_system epss
scoring_elements 0.67802
published_at 2026-04-09T12:55:00Z
17
value 0.00545
scoring_system epss
scoring_elements 0.67788
published_at 2026-04-08T12:55:00Z
18
value 0.00545
scoring_system epss
scoring_elements 0.67703
published_at 2026-04-01T12:55:00Z
19
value 0.00545
scoring_system epss
scoring_elements 0.67756
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2021-32693
1
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml
2
reference_url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml
3
reference_url https://github.com/symfony/security-http
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/security-http
4
reference_url https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129
5
reference_url https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728
6
reference_url https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2021-32693
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2021-32693
8
reference_url https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one
9
reference_url https://symfony.com/cve-2021-32693
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://symfony.com/cve-2021-32693
10
reference_url https://github.com/advisories/GHSA-rfcf-m67m-jcrq
reference_id GHSA-rfcf-m67m-jcrq
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rfcf-m67m-jcrq
Weaknesses
0
cwe_id 287
name Improper Authentication
description When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
1
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
2
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score4.0 - 6.9
Exploitability0.5
Weighted_severity6.2
Risk_score3.1
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-2ts3-y5j2-vufe