GHSA-r7p7-qr7p-2rrf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r7p7-qr7p-2rrf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r7p7-qr7p-2rrf/GHSA-r7p7-qr7p-2rrf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r7p7-qr7p-2rrf
- Aliases
- Published
- 2022-05-14T01:21:36Z
- Modified
- 2024-02-16T08:16:24.148792Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Symfony Open Redirect
- Details
-
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13.
DefaultAuthenticationSuccessHandlerorDefaultAuthenticationFailureHandlertakes the content of the_target_pathparameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks. - Database specific
{ "nvd_published_at": "2018-06-13T16:29:00Z", "cwe_ids": [ "CWE-601" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-07-26T19:56:19Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-16652
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2017-16652.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16652.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16652.yaml
- https://github.com/symfony/symfony
- https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
- https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
- https://symfony.com/cve-2017-16652
Affected packages
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Affected versions
v2.*
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Affected versions
v2.*
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Affected versions
v2.*
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security