CVE-2021-21424 — Sensitive Information Exposure in Symfony

CWE-200 — Sensitive Information Exposure CWE-203 — Observable Discrepancy8 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 49.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Lexik Jwt-authentication-bundle +6 more

Timeline

PublishedMay 13

Latest updateAug 24

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages11 packages

▶Packagistsymfony/symfony2.8.0 — 3.4.49+2

▶Packagistsymfony/security5.0.0 — 5.2.8+2

▶NVDsensiolabs/symfony2.8.0 — 3.4.48+2

▶Packagistsymfony/maker-bundle1.27.0 — 1.29.2+1

▶Packagistsymfony/security-core2.8.0 — 3.4.48+2

Also affects: Fedora 33, 34

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

symfony vulnerabilities↗2022-08-24

▶

GHSA

Prevent user enumeration using Guard or the new Authenticator-based Security↗2021-05-13

▶

OSV

Prevent user enumeration using Guard or the new Authenticator-based Security↗2021-05-13

▶

CVEList

Prevent user enumeration using Guard or the new Authenticator-based Security↗2021-05-13

▶

OSV

CVE-2021-21424: Symfony is a PHP framework for web and console applications and a set of reusable PHP components↗2021-05-13

▶

📋Vendor Advisories

Ubuntu

Symfony vulnerabilities↗2022-08-24

▶

Debian

CVE-2021-21424: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...↗2021

▶