GHSA-4vpc-5jx4-cfqg

Source

https://github.com/advisories/GHSA-4vpc-5jx4-cfqg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-4vpc-5jx4-cfqg/GHSA-4vpc-5jx4-cfqg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4vpc-5jx4-cfqg

Aliases

CVE-2019-18886

Published

2019-12-02T18:09:21Z

Modified

2023-11-08T04:01:26.701293Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

User enumeration leak using switch user functionality in Symfony

Details

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

Database specific

{
    "nvd_published_at": "2019-11-21T18:15:00Z",
    "github_reviewed_at": "2019-12-01T19:47:26Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-203"
    ]
}

References

Affected packages

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony/security-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.2.12

Affected versions

v4.*

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1.10

v4.1.11

v4.1.12

v4.2.0-BETA1

v4.2.0-BETA2

v4.2.0-RC1

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v4.2.10

v4.2.11

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony/security-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.3.8

Affected versions

v4.*

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.3.7

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.1.0

Fixed

4.2.12

Affected versions

v4.*

v4.1.0

v4.1.1

v4.1.2

v4.1.3

v4.1.4

v4.1.5

v4.1.6

v4.1.7

v4.1.8

v4.1.9

v4.1.10

v4.1.11

v4.1.12

v4.1.13

v4.2.0-BETA1

v4.2.0-BETA2

v4.2.0-RC1

v4.2.0

v4.2.1

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.6

v4.2.7

v4.2.8

v4.2.9

v4.2.10

v4.2.11

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.3.0

Fixed

4.3.8

Affected versions

v4.*

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.3.7