CVE-2017-11365
Description
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony's password validator in several versions fails to enforce access controls, allowing remote exploitation of incorrect access control.
Vulnerability
Analysis
CVE-2017-11365 is an incorrect access control vulnerability in the password validator component of Symfony. Affected versions include Symfony 2.7.30, 2.8.23, 3.2.10, and 3.3.3 [1]. The issue is categorized as remote exploitation, indicating that an attacker can leverage this flaw over the network without requiring local access.
Exploitation
The vulnerability lies in how the password validator handles access control. An attacker can exploit this remotely, bypassing intended security checks. No authentication is strictly required for exploitation, as it is an access control failure inherent in the component [1][2].
Impact
Successful exploitation allows an attacker to bypass password validation mechanisms, potentially leading to unauthorized access or privilege escalation. The exact impact depends on the application's use of the password validator, but it could compromise user accounts or system integrity [1].
Mitigation
Upgrading to patched versions of Symfony is necessary to remediate this vulnerability. The issue has been fixed in later releases; users are advised to update beyond the affected versions [2][3][4].
- NVD - CVE-2017-11365
- security-advisories/symfony/security/CVE-2017-11365.yaml at master · FriendsOfPHP/security-advisories
- security-advisories/symfony/security-core/CVE-2017-11365.yaml at master · FriendsOfPHP/security-advisories
- security-advisories/symfony/symfony/CVE-2017-11365.yaml at master · FriendsOfPHP/security-advisories
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/security-corePackagist | >= 2.7.30, < 2.7.32 | 2.7.32 |
symfony/security-corePackagist | >= 2.8.23, < 2.8.25 | 2.8.25 |
symfony/security-corePackagist | >= 3.2.10, < 3.2.12 | 3.2.12 |
symfony/security-corePackagist | >= 3.3.3, < 3.3.5 | 3.3.5 |
symfony/securityPackagist | >= 2.7.30, < 2.7.32 | 2.7.32 |
symfony/securityPackagist | >= 2.8.23, < 2.8.25 | 2.8.25 |
symfony/securityPackagist | >= 3.2.10, < 3.2.12 | 3.2.12 |
symfony/securityPackagist | >= 3.3.3, < 3.3.5 | 3.3.5 |
symfony/symfonyPackagist | >= 2.7.30, < 2.7.32 | 2.7.32 |
symfony/symfonyPackagist | >= 2.8.23, < 2.8.25 | 2.8.25 |
symfony/symfonyPackagist | >= 3.2.10, < 3.2.12 | 3.2.12 |
symfony/symfonyPackagist | >= 3.3.3, < 3.3.5 | 3.3.5 |
Affected products
4- Symfony/Symfonydescription
- ghsa-coords3 versions
>= 2.7.30, < 2.7.32+ 2 more
- (no CPE)range: >= 2.7.30, < 2.7.32
- (no CPE)range: >= 2.7.30, < 2.7.32
- (no CPE)range: >= 2.7.30, < 2.7.32
Patches
1878198cefae0[Security] validate empty passwords again
2 files changed · +25 −0
src/Symfony/Component/Security/Core/Tests/Validator/Constraints/UserPasswordValidatorTest.php+23 −0 modified@@ -90,6 +90,29 @@ public function testPasswordIsNotValid() ->assertRaised(); } + /** + * @dataProvider emptyPasswordData + */ + public function testEmptyPasswordsAreNotValid($password) + { + $constraint = new UserPassword(array( + 'message' => 'myMessage', + )); + + $this->validator->validate($password, $constraint); + + $this->buildViolation('myMessage') + ->assertRaised(); + } + + public function emptyPasswordData() + { + return array( + array(null), + array(''), + ); + } + /** * @expectedException \Symfony\Component\Validator\Exception\ConstraintDefinitionException */
src/Symfony/Component/Security/Core/Validator/Constraints/UserPasswordValidator.php+2 −0 modified@@ -40,6 +40,8 @@ public function validate($password, Constraint $constraint) } if (null === $password || '' === $password) { + $this->context->addViolation($constraint->message); + return; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-q87v-q8fw-gmj5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-11365ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2017-11365.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-11365.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-11365.yamlghsaWEB
- github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3fghsax_refsource_MISCWEB
- github.com/symfony/symfony/pull/23507ghsax_refsource_MISCWEB
- symfony.com/blog/cve-2017-11365-empty-passwords-validation-issueghsaWEB
- symfony.com/cve-2017-11365ghsaWEB
News mentions
0No linked articles in our index yet.