CVE-2018-11407
Description
An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Symfony LDAP component incomplete fix allows authentication bypass by sending a null password with a valid username.
Vulnerability
The vulnerability resides in the Ldap component of the Symfony framework. It allows remote attackers to bypass authentication by logging in with a "null" password and a valid username, which triggers an unauthenticated bind [1][2]. This issue exists because of an incomplete fix for CVE-2016-2403. Affected versions are Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7 [2][3].
Exploitation
An attacker only needs network access to the application and a valid username. By sending an authentication request with a null (empty) password, the LDAP component performs an unauthenticated bind, which succeeds against many LDAP servers, and the attacker is logged in as that user [1][2]. No special privileges or prior access are required, as the vulnerability is reachable from the application's login interface.
Impact
Successful exploitation allows an attacker to impersonate any valid user, gaining the same access rights and privileges as that user within the application [1][2]. This leads to a complete breach of confidentiality, integrity, and availability depending on the permissions of the compromised account. The scope of impact is high, as it affects core authentication.
Mitigation
The fix was released in Symfony versions 2.8.37, 3.3.17, 3.4.7, and 4.0.7 [1][2][3][4]. Users should upgrade to these versions or later. There is no known workaround; the only mitigation is to apply the patch.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/security-corePackagist | >= 2.8.0, < 2.8.37 | 2.8.37 |
symfony/security-corePackagist | >= 3.0.0, < 3.3.17 | 3.3.17 |
symfony/security-corePackagist | >= 3.4.0, < 3.4.7 | 3.4.7 |
symfony/security-corePackagist | >= 4.0.0, < 4.0.7 | 4.0.7 |
symfony/securityPackagist | >= 2.8.0, < 2.8.37 | 2.8.37 |
symfony/securityPackagist | >= 3.0.0, < 3.3.17 | 3.3.17 |
symfony/securityPackagist | >= 3.4.0, < 3.4.7 | 3.4.7 |
symfony/securityPackagist | >= 4.0.0, < 4.0.7 | 4.0.7 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.37 | 2.8.37 |
symfony/symfonyPackagist | >= 3.0.0, < 3.3.17 | 3.3.17 |
symfony/symfonyPackagist | >= 3.4.0, < 3.4.7 | 3.4.7 |
symfony/symfonyPackagist | >= 4.0.0, < 4.0.7 | 4.0.7 |
Affected products
3- ghsa-coords3 versions
>= 2.8.0, < 2.8.37+ 2 more
- (no CPE)range: >= 2.8.0, < 2.8.37
- (no CPE)range: >= 2.8.0, < 2.8.37
- (no CPE)range: >= 2.8.0, < 2.8.37
Patches
1b46fc93785d3security #cve-2018-11407 [Ldap] cast to string when checking empty passwords
2 files changed · +18 −1
src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php+1 −1 modified@@ -82,7 +82,7 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke $username = $token->getUsername(); $password = $token->getCredentials(); - if ('' === $password) { + if ('' === (string) $password) { throw new BadCredentialsException('The presented password must not be empty.'); }
src/Symfony/Component/Security/Core/Tests/Authentication/Provider/LdapBindAuthenticationProviderTest.php+17 −0 modified@@ -45,6 +45,23 @@ public function testEmptyPasswordShouldThrowAnException() $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', '', 'key')); } + /** + * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException + * @expectedExceptionMessage The presented password must not be empty. + */ + public function testNullPasswordShouldThrowAnException() + { + $userProvider = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserProviderInterface')->getMock(); + $ldap = $this->getMockBuilder('Symfony\Component\Ldap\LdapClientInterface')->getMock(); + $userChecker = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserCheckerInterface')->getMock(); + + $provider = new LdapBindAuthenticationProvider($userProvider, $userChecker, 'key', $ldap); + $reflection = new \ReflectionMethod($provider, 'checkAuthentication'); + $reflection->setAccessible(true); + + $reflection->invoke($provider, new User('foo', null), new UsernamePasswordToken('foo', null, 'key')); + } + /** * @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException * @expectedExceptionMessage The presented password is invalid.
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-35c5-28pg-2qg4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11407ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2018-11407.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-11407.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11407.yamlghsaWEB
- github.com/symfony/symfony/commit/b46fc93785d37ffa5d706a82cd175b33ce8f2934ghsaWEB
- github.com/symfony/symfony/pull/27377ghsaWEB
- symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-passwordghsax_refsource_CONFIRMWEB
- symfony.com/cve-2018-11407ghsaWEB
News mentions
0No linked articles in our index yet.