User Enumeration

Affecting symfony/symfony package, versions >=4.2.0, <4.2.12 || >=4.3.0, <4.3.8

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

symfony/symfony is a PHP framework for web applications and a set of reusable PHP components.

Affected versions of this package are vulnerable to User Enumeration. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality.

Remediation

Upgrade symfony/symfony to version 4.2.12, 4.3.8 or higher.

References

CVSS Score

5.3
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Matt Daum
CVE
CVE-2019-18886
CWE
CWE-203
Snyk ID
SNYK-PHP-SYMFONYSYMFONY-535351
Disclosed
13 Nov, 2019
Published
22 Nov, 2019