CVE-2021-21424

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 3.4

Description The issue is related to information disclosure, allowing a remote attacker to gain unauthorized access to protected information. The vulnerability is caused by the ability to enumerate users without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. Additionally, it was possible to enumerate users by using a timing attack, comparing the time elapsed when authenticating an existing user and a non-existing user.

Recommendations For Symfony versions prior to 3.4, the patch for this issue is available for branch 3.4, ensuring that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. As a temporary workaround, consider restricting access to the switch users functionality until the patch is applied.