PT-2016-3281 · Symfony · Symfony

Matteo Rossi

Published

2016-05-09

Updated

2022-05-14

CVE-2016-2403

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 2.8.6 Symfony versions 3.x prior to 3.0.6

Description The issue allows remote attackers to bypass authentication by logging in with an empty password and a valid username. This is due to errors in processing user authentication data, which can be exploited by a remote attacker to bypass the authentication procedure by specifying an existing username and an empty string as the password.

Recommendations For Symfony versions prior to 2.8.6, update to version 2.8.6 or later. For Symfony versions 3.x prior to 3.0.6, update to version 3.0.6 or later.

Exploit

Fix

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

BDU:2019-00442

CVE-2016-2403

DSA-4262-1

GHSA-WVJ5-R78R-HHFQ

Affected Products

Symfony

PT-2016-3281 · Symfony · Symfony

CVE-2016-2403

Weakness Enumeration

Related Identifiers

Affected Products

References · 38