Search for vulnerabilities
Vulnerability details: VCID-uvvm-sajc-akhw
Vulnerability ID VCID-uvvm-sajc-akhw
Aliases CVE-2021-32693
GHSA-rfcf-m67m-jcrq
Summary Authentication granted to all firewalls instead of just one Description ----------- When an application defines multiple firewalls, the authenticated token delivered by one of the firewalls is available to all other firewalls. This can be abused when the application defines different providers for different parts of an application. In such a situation, a user authenticated on one part of the application is considered authenticated on the whole application. Resolution ---------- We now ensure that the authenticated token is only available for the firewall that generates it. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728) for branch 5.3. Credits ------- I would like to thank Bogdan, gndk, Paweł Warchoł, Warxcell, and Adrien Lamotte for reporting the issue and Wouter J for fixing the issue.
Status Published
Exploitability 0.5
Weighted Severity 7.9
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-287 Improper Authentication
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00545 https://api.first.org/data/v1/epss?cve=CVE-2021-32693
epss 0.00545 https://api.first.org/data/v1/epss?cve=CVE-2021-32693
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-rfcf-m67m-jcrq
cvssv3.1 6.8 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml
cvssv3.1 6.8 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml
generic_textual MODERATE https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml
cvssv3.1 6.8 https://github.com/symfony/security-http
generic_textual MODERATE https://github.com/symfony/security-http
cvssv3.1 6.8 https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129
generic_textual MODERATE https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129
cvssv3.1 6.8 https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728
generic_textual MODERATE https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728
cvssv3.1 6.8 https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
cvssv3.1_qr MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
generic_textual MODERATE https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2021-32693
cvssv3.1 6.8 https://nvd.nist.gov/vuln/detail/CVE-2021-32693
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2021-32693
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2021-32693
cvssv3.1 6.8 https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one
generic_textual MODERATE https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one
cvssv3.1 6.8 https://symfony.com/cve-2021-32693
generic_textual MODERATE https://symfony.com/cve-2021-32693
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2021-32693
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml
https://github.com/symfony/security-http
https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129
https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728
https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
https://nvd.nist.gov/vuln/detail/CVE-2021-32693
https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one
https://symfony.com/cve-2021-32693
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
GHSA-rfcf-m67m-jcrq https://github.com/advisories/GHSA-rfcf-m67m-jcrq
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-32693.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-32693.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/symfony/security-http
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/symfony/security-http/commit/6bf4c31219773a558b019ee12e54572174ff8129
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/symfony/symfony/commit/3084764ad82f29dbb025df19978b9cbc3ab34728
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://github.com/symfony/symfony/security/advisories/GHSA-rfcf-m67m-jcrq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32693
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32693
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-32693
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://symfony.com/blog/cve-2021-32693-authentication-granted-to-all-firewalls-instead-of-just-one
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://symfony.com/cve-2021-32693
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.66756
EPSS Score 0.00545
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:19:46.769347+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-rfcf-m67m-jcrq/GHSA-rfcf-m67m-jcrq.json 36.1.3