Critical severity9.8NVD Advisory· Published Feb 7, 2017· Updated May 13, 2026
CVE-2016-2403
CVE-2016-2403
Description
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/security-corePackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
symfony/security-corePackagist | >= 3.0.0, < 3.0.6 | 3.0.6 |
symfony/securityPackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
symfony/securityPackagist | >= 3.0.0, < 3.0.6 | 3.0.6 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
symfony/symfonyPackagist | >= 3.0.0, < 3.0.6 | 3.0.6 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-passwordnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/96137nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-wvj5-r78r-hhfqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2403ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2016-2403.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2016-2403.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2016-2403.yamlghsaWEB
- symfony.com/cve-2016-2403ghsaWEB
- web.archive.org/web/20210123224944/http://www.securityfocus.com/bid/96137ghsaWEB
- www.debian.org/security/2018/dsa-4262nvdWEB
News mentions
0No linked articles in our index yet.