GHSA-4vpc-5jx4-cfqg

Suggest an improvement
Source
https://github.com/advisories/GHSA-4vpc-5jx4-cfqg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-4vpc-5jx4-cfqg/GHSA-4vpc-5jx4-cfqg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4vpc-5jx4-cfqg
Aliases
Published
2019-12-02T18:09:21Z
Modified
2023-11-08T04:01:26.701293Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
User enumeration leak using switch user functionality in Symfony
Details

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

Database specific
{
    "nvd_published_at": "2019-11-21T18:15:00Z",
    "github_reviewed_at": "2019-12-01T19:47:26Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-203"
    ]
}
References

Affected packages

Packagist / symfony/security-http

Package

Name
symfony/security-http
Purl
pkg:composer/symfony/security-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.0
Fixed
4.2.12

Affected versions

v4.*

v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.1.11
v4.1.12
v4.2.0-BETA1
v4.2.0-BETA2
v4.2.0-RC1
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.2.10
v4.2.11

Packagist / symfony/security-http

Package

Name
symfony/security-http
Purl
pkg:composer/symfony/security-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0
Fixed
4.3.8

Affected versions

v4.*

v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7

Packagist / symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.1.0
Fixed
4.2.12

Affected versions

v4.*

v4.1.0
v4.1.1
v4.1.2
v4.1.3
v4.1.4
v4.1.5
v4.1.6
v4.1.7
v4.1.8
v4.1.9
v4.1.10
v4.1.11
v4.1.12
v4.1.13
v4.2.0-BETA1
v4.2.0-BETA2
v4.2.0-RC1
v4.2.0
v4.2.1
v4.2.2
v4.2.3
v4.2.4
v4.2.5
v4.2.6
v4.2.7
v4.2.8
v4.2.9
v4.2.10
v4.2.11

Packagist / symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.3.0
Fixed
4.3.8

Affected versions

v4.*

v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.3.5
v4.3.6
v4.3.7