Critical severity9.8NVD Advisory· Published Feb 7, 2017· Updated Jun 17, 2026
CVE-2016-2403
CVE-2016-2403
Description
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/security-corePackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
symfony/security-corePackagist | >= 3.0.0, < 3.0.6 | 3.0.6 |
symfony/securityPackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
symfony/securityPackagist | >= 3.0.0, < 3.0.6 | 3.0.6 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.6 | 2.8.6 |
symfony/symfonyPackagist | >= 3.0.0, < 3.0.6 | 3.0.6 |
Affected products
15cpe:2.3:a:sensiolabs:symfony:2.8.0:*:*:*:*:*:*:*+ 11 more
- cpe:2.3:a:sensiolabs:symfony:2.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:2.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:3.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:3.0.5:*:*:*:*:*:*:*
- ghsa-coords3 versions
>= 2.8.0, < 2.8.6+ 2 more
- (no CPE)range: >= 2.8.0, < 2.8.6
- (no CPE)range: >= 2.8.0, < 2.8.6
- (no CPE)range: >= 2.8.0, < 2.8.6
Patches
Vulnerability mechanics
References
10- symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-passwordnvdVendor AdvisoryWEB
- www.securityfocus.com/bid/96137nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-wvj5-r78r-hhfqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2403ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2016-2403.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2016-2403.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2016-2403.yamlghsaWEB
- symfony.com/cve-2016-2403ghsaWEB
- web.archive.org/web/20210123224944/http://www.securityfocus.com/bid/96137ghsaWEB
- www.debian.org/security/2018/dsa-4262nvdWEB
News mentions
0No linked articles in our index yet.