User Enumeration

Affecting symfony/security-http package, versions >=4.2.0, <4.2.12 || >=4.3.0, <4.3.8

Do your applications use this vulnerable package? Test your applications

Overview

symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.

Affected versions of this package are vulnerable to User Enumeration. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality.

Remediation

Upgrade symfony/security-http to version 4.2.12, 4.3.8 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Matt Daum
CVE
CVE-2019-18886
CWE
CWE-203
Snyk ID
SNYK-PHP-SYMFONYSECURITYHTTP-535382
Disclosed
13 Nov, 2019
Published
22 Nov, 2019