CVE-2019-18886 — Observable Discrepancy in Security-http

CWE-203 — Observable Discrepancy CWE-200 — Sensitive Information Exposure9 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

1.5%

top 18.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Security-http Sensiolabs Symfony

Timeline

PublishedNov 21

Latest updateDec 2

Description

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

▶Packagistsymfony/security-http4.1.0 — 4.2.12+1

▶Packagistsymfony/symfony4.1.0 — 4.2.12+1

▶Debiansymfony/symfony< 4.3.8+dfsg-1+3

▶NVDsensiolabs/symfony4.2.0 — 4.2.11+1

🔴Vulnerability Details

GHSA

User enumeration leak using switch user functionality in Symfony↗2019-12-02

▶

OSV

User enumeration leak using switch user functionality in Symfony↗2019-12-02

▶

CVEList

CVE-2019-18886: An issue was discovered in Symfony 4↗2019-11-21

▶

OSV

CVE-2019-18886: An issue was discovered in Symfony 4↗2019-11-21

▶

📋Vendor Advisories

Debian

CVE-2019-18886: symfony - An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The abili...↗2019

▶

💬Community

Bugzilla

CVE-2019-18886 php-symfony: User enumeration issue in symfony/security [fedora-all]↗2019-11-21

▶

Bugzilla

CVE-2019-18886 php-symfony: User enumeration issue in symfony/security↗2019-11-21

▶

Bugzilla

CVE-2019-18886 php-symfony: User enumeration issue in symfony/security [epel-all]↗2019-11-21

▶