CVE-2019-18886 – symfony/security-http

Package

Manager: composer
Name: symfony/security-http
Vulnerable Version: >=4.1.0 <4.2.12 || >=4.3.0 <4.3.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01546 pctl0.80716

Details

User enumeration leak using switch user functionality in Symfony An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

Metadata

Created: 2019-12-02T18:09:21Z
Modified: 2021-07-28T15:49:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-4vpc-5jx4-cfqg/GHSA-4vpc-5jx4-cfqg.json
CWE IDs: ["CWE-200", "CWE-203"]
Alternative ID: GHSA-4vpc-5jx4-cfqg
Finding: F026
Auto approve: 1