CVE-2016-2403 — Improper Authentication in Security

CWE-287 — Improper Authentication7 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.2%

top 63.88%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Security Symfony Security-core +1 more

Timeline

PublishedFeb 7

Latest updateMay 14

Description

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages5 packages

▶Packagistsymfony/symfony2.8.0 — 2.8.6+1

▶Packagistsymfony/security2.8.0 — 2.8.6+1

▶Packagistsymfony/security-core2.8.0 — 2.8.6+1

▶Debiansymfony/symfony< 2.8.6+dfsg-1+3

▶NVDsensiolabs/symfony12 versions+11

🔴Vulnerability Details

GHSA

Symfony Authentication Bypass↗2022-05-14

▶

OSV

Symfony Authentication Bypass↗2022-05-14

▶

GHSA

Symfony Authentication Bypass↗2022-05-14

▶

OSV

CVE-2016-2403: Symfony before 2↗2017-02-07

▶

CVEList

CVE-2016-2403: Symfony before 2↗2017-02-07

▶

📋Vendor Advisories

Debian

CVE-2016-2403: symfony - Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass auth...↗2016

▶