Affecting symfony/security-http package, versions >=4.2.0, <4.2.12 || >=4.3.0, <4.3.8
symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.
Affected versions of this package are vulnerable to User Enumeration. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality.
symfony/security-http to version 4.2.12, 4.3.8 or higher.