CVE-2018-11408 – symfony/security-bundle

Package

Manager: composer
Name: symfony/security-bundle
Vulnerable Version: >=2.7.0 <2.7.48 || >=2.8.0 <2.8.41 || >=3.3.0 <3.3.17 || >=3.4.0 <3.4.11 || >=4.0.0 <4.0.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00307 pctl0.5338

Details

Symfony Open Redirect The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

Metadata

Created: 2022-05-14T01:21:15Z
Modified: 2023-10-06T17:58:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7hwc-2cq4-6x2w/GHSA-7hwc-2cq4-6x2w.json
CWE IDs: ["CWE-601"]
Alternative ID: GHSA-7hwc-2cq4-6x2w
Finding: F156
Auto approve: 1