Symfony Security vulnerabilities

CVE-2017-11365 [CRITICAL] CWE-284 Symfony Incorrect Access Control Symfony Incorrect Access Control Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.

CVE-2016-1902 [HIGH] CWE-332 Symfony Cryptographic Vulnerability Symfony Cryptographic Vulnerability The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

CVE-2015-8125 [HIGH] CWE-208 Symfony Vulnerable to Timing Attack Symfony Vulnerable to Timing Attack Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` or (2) `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` class in the Symfony Security Component, or (3) legacy CSRF implemen

CVE-2016-4423 [HIGH] Symphony Denial of Service Via Overlong Usernames Symphony Denial of Service Via Overlong Usernames The attemptAuthentication function in `Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php` in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of au

CVE-2013-5958 [MEDIUM] CWE-789 Symfony Denial of Service Via Long Password Hashing Symfony Denial of Service Via Long Password Hashing The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

CVE-2012-6431 [MEDIUM] CWE-287 Symfony Allows URI Restrictions Bypass Via Double-Encoded String Symfony Allows URI Restrictions Bypass Via Double-Encoded String On the Symfony 2.0.x version, there's a security issue that allows access to routes protected by a firewall even when the user is not logged in. Both the Routing component and the Security component uses the path returned by `getPathInfo()` to match a Request. The `getPathInfo()` returns a decoded path, but the Routing component (`Symf

CVE-2016-2403 [CRITICAL] CWE-287 Symfony Authentication Bypass Symfony Authentication Bypass Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

CVE-2018-11407 [CRITICAL] CWE-287 Symfony Authentication Bypass Symfony Authentication Bypass An issue was discovered in the LDAP component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. **NOTE:** this issue exists because of an incomplete fix for CVE-2016-2403.

CVE-2018-11385 [HIGH] CWE-384 Symfony Session Fixation Vulnerability Symfony Session Fixation Vulnerability An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

CVE-2018-11406 [HIGH] CWE-352 Symfony CSRF Token Fixation Symfony CSRF Token Fixation An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

CVE-2017-16652 [MEDIUM] CWE-601 Symfony Open Redirect Symfony Open Redirect An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. `DefaultAuthenticationSuccessHandler` or `DefaultAuthenticationFailureHandler` takes the content of the `_target_path` parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exp

CVE-2018-19790 [MEDIUM] CWE-601 Symfony Open Redirect Symfony Open Redirect An open redirect was discovered in Symfony 2.7.x before 2.7.50, 2.8.x before 2.8.49, 3.x before 3.4.20, 4.0.x before 4.0.15, 4.1.x before 4.1.9 and 4.2.x before 4.2.1. By using backslashes in the `_failure_path` input field of login forms, an attacker can work around the redirection target restrictions and effectively redirect the user to any domain after login.

CVE-2015-8124 [LOW] CWE-384 Symfony Session Fixation Vulnerability Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't be

CVE-2017-16653 [MEDIUM] CWE-352 Symfony CSRF Vulnerability Symfony CSRF Vulnerability An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

CVE-2021-21424 [MEDIUM] CWE-200 Prevent user enumeration using Guard or the new Authenticator-based Security Prevent user enumeration using Guard or the new Authenticator-based Security Description The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticati

CVE-2020-5275 [HIGH] CWE-285 Firewall configured with unanimous strategy was not actually unanimous in Symfony Firewall configured with unanimous strategy was not actually unanimous in Symfony Description On Symfony before 4.4.0, when a `Firewall` checks an access control rule (using the unanimous strategy), it iterates over all rule attributes and grant access only if *all* calls to the `accessDecisionManager` decide to grant access. As of Symfony 4.4.0, a bug was introduced that prevents th

CVE-2019-10911 [HIGH] CWE-200 Improper authentication in Symfony Improper authentication in Symfony In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.