Théo Bougé

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.8.x through 2.8.36 Symfony versions 3.3.x through 3.3.16 Symfony versions 3.4.x through 3.4.6 Symfony versions 4.0.x through 4.0.6 **Description** An issue in the Ldap component allows remote attackers to bypass authentication by logging in with a "null" password and valid username, triggering an unauthenticated bind. This issue exists because of an incomplete fix for a previous authentication bypass vulnerability. **Recommendations** For Symfony versions 2.8.x through 2.8.36, update to version 2.8.37 or later. For Symfony versions 3.3.x through 3.3.16, update to version 3.3.17 or later. For Symfony versions 3.4.x through 3.4.6, update to version 3.4.7 or later. For Symfony versions 4.0.x through 4.0.6, update to version 4.0.7 or later.