GHSA-wvj5-r78r-hhfq

Suggest an improvement
Source
https://github.com/advisories/GHSA-wvj5-r78r-hhfq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wvj5-r78r-hhfq/GHSA-wvj5-r78r-hhfq.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-wvj5-r78r-hhfq
Aliases
Published
2022-05-14T03:10:21Z
Modified
2024-02-08T19:31:44.050587Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Symfony Authentication Bypass
Details

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

Database specific 
{
    "cwe_ids": [
        "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-07-31T18:26:03Z",
    "severity": "CRITICAL",
    "nvd_published_at": "2017-02-07T17:59:00Z"
}
References

Affected packages

Packagist

symfony/security-core

Package

Name
symfony/security-core
Purl
pkg:composer/symfony/security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.6

Affected versions

v2.*

v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5

symfony/security-core

Package

Name
symfony/security-core
Purl
pkg:composer/symfony/security-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.6

Affected versions

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5

symfony/security

Package

Name
symfony/security
Purl
pkg:composer/symfony/security

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.6

Affected versions

v2.*

v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5

symfony/security

Package

Name
symfony/security
Purl
pkg:composer/symfony/security

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.6

Affected versions

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5

symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.6

Affected versions

v2.*

v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5

symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.6

Affected versions

v3.*

v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.0.5