CVE-2020-5275: 
PHP vulnerability analysis and mitigation

CVE-2020-5275 affects symfony/security-http before versions 4.4.7 and 5.0.7. The vulnerability was discovered in March 2020 and involves incorrect handling of access control rules when using the unanimous strategy in the Firewall component. The issue affects Symfony installations using versions 4.4.0 through 4.4.6 and 5.0.0 through 5.0.6 (GitHub Advisory).

The vulnerability occurs when a Firewall checks access control rules using the unanimous strategy. Prior to version 4.4.0, the system would iterate over all rule attributes and grant access only if all calls to the accessDecisionManager decided to grant access. However, a bug introduced in version 4.4.0 caused the system to stop checking attributes as soon as the accessDecisionManager granted access on a single attribute, preventing the proper evaluation of subsequent attributes that should have been considered in the unanimous strategy (GitHub Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 8.1 HIGH (NVD).

The vulnerability could lead to incorrect authorization decisions when using the unanimous strategy in access control rules. This could potentially allow users to gain unauthorized access to protected resources by bypassing security checks that should have been enforced (GitHub Advisory).

The issue has been patched in Symfony versions 4.4.7 and 5.0.7. The fix modifies the accessDecisionManager to be called with all attributes at once, allowing the unanimous strategy to be properly applied to each attribute. Users should upgrade to these patched versions to resolve the vulnerability (GitHub Advisory, Symfony Patch).