Packagist (Composer) package
symfony/security-core
pkg:composer/symfony/security-core
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-21424 | — | >= 2.8.0, < 3.4.48 | 3.4.48 | May 13, 2021 | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch user | ||
| CVE-2017-11365 | — | >= 2.7.30, < 2.7.32 | 2.7.32 | May 23, 2019 | Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator. | ||
| CVE-2018-11407 | — | >= 2.8.0, < 2.8.37 | 2.8.37 | Jun 13, 2018 | An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenti | ||
| CVE-2016-2403 | Cri | 9.8 | >= 2.8.0, < 2.8.6 | 2.8.6 | Feb 7, 2017 | Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind. | |
| CVE-2016-1902 | Hig | 7.5 | >= 2.4.0, < 2.6.13 | 2.6.13 | Jun 1, 2016 | The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, |
- CVE-2021-21424May 13, 2021affected >= 2.8.0, < 3.4.48fixed 3.4.48
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch user
- CVE-2017-11365May 23, 2019affected >= 2.7.30, < 2.7.32fixed 2.7.32
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.
- CVE-2018-11407Jun 13, 2018affected >= 2.8.0, < 2.8.37fixed 2.8.37
An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenti
- affected >= 2.8.0, < 2.8.6fixed 2.8.6
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
- affected >= 2.4.0, < 2.6.13fixed 2.6.13
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails,