Symfony Security-Core vulnerabilities

5 known vulnerabilities affecting symfony/security-core.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

CRITICAL3HIGH1MEDIUM1

Vulnerabilities

Page 1 of 1

CVE-2017-11365CRITICAL≥ 2.7.30, < 2.7.32≥ 2.8.23, < 2.8.25+2 more2022-05-24

CVE-2017-11365 [CRITICAL] CWE-284 Symfony Incorrect Access Control Symfony Incorrect Access Control Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.

CVE-2016-1902HIGH≥ 2.4.0, < 2.6.13≥ 2.7.0, < 2.7.92022-05-17

CVE-2016-1902 [HIGH] CWE-332 Symfony Cryptographic Vulnerability Symfony Cryptographic Vulnerability The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

CVE-2016-2403CRITICAL≥ 2.8.0, < 2.8.6≥ 3.0.0, < 3.0.62022-05-14

CVE-2016-2403 [CRITICAL] CWE-287 Symfony Authentication Bypass Symfony Authentication Bypass Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

CVE-2018-11407CRITICALCVSS 9.8≥ 2.8.0, < 2.8.37≥ 3.0.0, < 3.3.17+2 more2022-05-14

CVE-2018-11407 [CRITICAL] CWE-287 Symfony Authentication Bypass Symfony Authentication Bypass An issue was discovered in the LDAP component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. **NOTE:** this issue exists because of an incomplete fix for CVE-2016-2403.

CVE-2021-21424MEDIUM≥ 2.8.0, < 3.4.48≥ 4.0.0, < 4.4.23+1 more2021-05-13

CVE-2021-21424 [MEDIUM] CWE-200 Prevent user enumeration using Guard or the new Authenticator-based Security Prevent user enumeration using Guard or the new Authenticator-based Security Description The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticati