CVE-2017-16652

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the targetpath parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

Database specific

{
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "8.0"
                }
            ],
            "cpes": [
                "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"
            ],
            "vendor_product": "debian:debian_linux",
            "source": "CPE_STRING"
        }
    ]
}

References

Affected packages

Git / github.com/symfony/security-http

Affected ranges

Type

GIT

Repo

https://github.com/symfony/security-http

Events

Introduced

Fixed

d36a87a41e24fb6f24e053b5d2780630366a1810

Fixed

558bddb30922e6b7a501ed77d2056ce848dac6f7

Fixed

d2091c3d65654871e9e89be64507e02450e3a337

Introduced

760872233cd3147870184697e3481ffa492ac2fb

Fixed

a0813c60237631167219c2129e290390a9e4ebb2

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.38"
        },
        {
            "fixed": "2.8.31"
        },
        {
            "fixed": "3.2.14"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.13"
        }
    ],
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v2.*

v2.4.0-BETA1

v2.4.0-BETA2

v2.4.0-RC1

v2.5.0

v2.5.0-BETA1

v2.5.0-BETA2

v2.5.0-RC1

v2.5.1

v2.5.2

v2.6.0-BETA1

v2.7.0

v2.7.0-BETA1

v2.7.0-BETA2

v2.7.1

v2.7.10

v2.7.12

v2.7.13

v2.7.14

v2.7.15

v2.7.16

v2.7.17

v2.7.18

v2.7.19

v2.7.2

v2.7.20

v2.7.21

v2.7.22

v2.7.23

v2.7.24

v2.7.25

v2.7.26

v2.7.27

v2.7.28

v2.7.29

v2.7.3

v2.7.30

v2.7.31

v2.7.32

v2.7.33

v2.7.34

v2.7.35

v2.7.36

v2.7.37

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.0-BETA1

v2.8.1

v2.8.10

v2.8.11

v2.8.12

v2.8.13

v2.8.14

v2.8.15

v2.8.16

v2.8.17

v2.8.18

v2.8.19

v2.8.2

v2.8.20

v2.8.21

v2.8.22

v2.8.23

v2.8.24

v2.8.25

v2.8.26

v2.8.27

v2.8.28

v2.8.29

v2.8.3

v2.8.30

v2.8.4

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v2.8.9

v3.*

v3.0.0

v3.0.0-BETA1

v3.1.0

v3.1.0-BETA1

v3.1.0-RC1

v3.1.1

v3.2.0

v3.2.0-BETA1

v3.2.0-RC1

v3.2.0-RC2

v3.2.1

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.10

v3.3.11

v3.3.12

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16652.json"

Git / github.com/symfony/symfony

Affected ranges

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

Fixed

b95964ae888c9e25ad7c3eee22730c68b33b1a8b

Fixed

fa9fa59d7bf9d5c73a264d348f0da793cafdc73c

Fixed

fc9f9470e81e6fb59bd826d8040b961f7ed30f94

Introduced

5a7e31c48e7cd4831efa409fffb661beb9995174

Fixed

9b0226340705f75fd0cebd220746a36050ead8a9

Database specific

{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.7.38"
        },
        {
            "fixed": "2.8.31"
        },
        {
            "fixed": "3.2.14"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.13"
        }
    ],
    "cpe": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE"
}

Affected versions

v2.*

v2.0.0

v2.0.0-RC1

v2.0.0-RC2

v2.0.0-RC3

v2.0.0-RC4

v2.0.0-RC5

v2.0.0-RC6

v2.0.0BETA1

v2.0.0BETA2

v2.0.0BETA3

v2.0.0BETA4

v2.0.0BETA5

v2.0.0PR8

v2.1.0

v2.1.0-BETA1

v2.1.0-BETA2

v2.1.0-BETA3

v2.1.0-BETA4

v2.1.0-RC1

v2.1.0-RC2

v2.2.0-BETA1

v2.2.0-BETA2

v2.3.0-BETA1

v2.3.0-BETA2

v2.4.0-BETA1

v2.4.0-BETA2

v2.5.0-BETA1

v2.5.0-BETA2

v2.6.0-BETA1

v2.7.0

v2.7.0-BETA1

v2.7.0-BETA2

v2.7.1

v2.7.10

v2.7.11

v2.7.12

v2.7.13

v2.7.14

v2.7.15

v2.7.16

v2.7.17

v2.7.18

v2.7.19

v2.7.2

v2.7.20

v2.7.21

v2.7.22

v2.7.23

v2.7.24

v2.7.25

v2.7.26

v2.7.27

v2.7.28

v2.7.29

v2.7.3

v2.7.30

v2.7.31

v2.7.32

v2.7.33

v2.7.34

v2.7.35

v2.7.36

v2.7.37

v2.7.4

v2.7.5

v2.7.6

v2.7.7

v2.7.8

v2.7.9

v2.8.0

v2.8.0-BETA1

v2.8.1

v2.8.10

v2.8.11

v2.8.12

v2.8.13

v2.8.14

v2.8.15

v2.8.16

v2.8.17

v2.8.18

v2.8.19

v2.8.2

v2.8.20

v2.8.21

v2.8.22

v2.8.23

v2.8.24

v2.8.25

v2.8.26

v2.8.27

v2.8.28

v2.8.29

v2.8.3

v2.8.30

v2.8.4

v2.8.5

v2.8.6

v2.8.7

v2.8.8

v2.8.9

v3.*

v3.0.0

v3.0.0-BETA1

v3.2.0

v3.2.0-BETA1

v3.2.0-RC1

v3.2.0-RC2

v3.2.1

v3.2.10

v3.2.11

v3.2.12

v3.2.13

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

v3.2.7

v3.2.8

v3.2.9

v3.3.0

v3.3.1

v3.3.10

v3.3.11

v3.3.12

v3.3.2

v3.3.3

v3.3.4

v3.3.5

v3.3.6

v3.3.7

v3.3.8

v3.3.9

Other

vPR3

vPR4

vPR5

vPR6

vPR8

vPR9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-16652.json"