CVE-2019-18886

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2019-18886

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-18886.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2019-18886

Aliases

GHSA-4vpc-5jx4-cfqg

Related

Published

2019-11-21T18:15:11Z

Modified

2025-02-14T10:49:41.135045Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

References

Affected packages

Debian:11 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name: symfony
Purl: pkg:deb/debian/symfony?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.3.8+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/symfony/security-http

Affected ranges

Type: GIT
Repo: https://github.com/symfony/security-http
Events: Introduced

13594beb3faaeea891aaae9eeea8ffde16a99faf

Last affected

a2f67dfe0ecfb713734847f4ada0f4231e28ae71

Introduced

34e089af7d363bd2ded8ad15f06b2b97348b97e5

Last affected

a3eddd912d93a8c77ffee2b31448e13864257f4e

Type: GIT
Repo: https://github.com/symfony/symfony
Events: Introduced

7bd9a1bae87e6b2d7eba499ebf3053ff4bc3a483

Last affected

2ba6f17744ee8649ac107039f64d1ee4c959bf32

Introduced

0bf8d128ef3c492436ab5f1b7c7b130f9e96aad2

Last affected

fb4065ac95f08ca26ee605936e537ba2cd4a6bb7

Affected versions

v2.*

v2.7.48

v2.7.49

v2.7.50

v2.8.49

v3.*

v3.4.20

v3.4.21

v3.4.22

v3.4.23

v3.4.24

v3.4.25

v3.4.26

v3.4.27

v3.4.28

v3.4.29

v3.4.30

v3.4.31

v3.4.32

v3.4.33

v3.4.34

v3.4.35

v4.*

v4.1.10

v4.1.11

v4.1.9

v4.2.0

v4.2.0-BETA2

v4.2.0-RC1

v4.2.1

v4.2.10

v4.2.11

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v4.3.0

v4.3.0-BETA1

v4.3.0-BETA2

v4.3.0-RC1

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.3.7