CVE-2018-11407 – symfony/security-core

Package

Manager: composer
Name: symfony/security-core
Vulnerable Version: >=2.8.0 <2.8.37 || >=3.0.0 <3.3.17 || >=3.4.0 <3.4.7 || >=4.0.0 <4.0.7

Severity

Level: Critical

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00198 pctl0.42008

Details

Symfony Authentication Bypass An issue was discovered in the LDAP component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. **NOTE:** this issue exists because of an incomplete fix for CVE-2016-2403.

Metadata

Created: 2022-05-14T03:10:52Z
Modified: 2024-04-25T22:11:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-35c5-28pg-2qg4/GHSA-35c5-28pg-2qg4.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-35c5-28pg-2qg4
Finding: F006
Auto approve: 1