Symfony up to 4.2.6 improper authentication

Summaryinfo

A vulnerability, which was classified as critical, has been found in Symfony up to 2.7.50/2.8.49/3.4.25/4.1.11/4.2.6. Affected by this vulnerability is an unknown functionality. This manipulation causes improper authentication. This vulnerability is tracked as CVE-2019-10911. The attack is possible to be carried out remotely. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Symfony up to 2.7.50/2.8.49/3.4.25/4.1.11/4.2.6 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation with an unknown input leads to a improper authentication vulnerability. The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

In Symfony before 2.7.51, 2.8.x before 2.8.50, 3.x before 3.4.26, 4.x before 4.1.12, and 4.2.x before 4.2.7, a vulnerability would allow an attacker to authenticate as a privileged user on sites with user registration and remember me login functionality enabled. This is related to symfony/security.

The bug was discovered 04/17/2019. The weakness was disclosed 05/16/2019 (GitHub Repository). The advisory is shared at github.com. This vulnerability is known as CVE-2019-10911 since 04/07/2019. The attack can be launched remotely. The successful exploitation needs a single authentication. Neither technical details nor an exploit are publicly available.

The vulnerability was handled as a non-public zero-day exploit for at least 29 days. During that time the estimated underground price was around $0-$5k. The commercial vulnerability scanner Qualys is able to test this issue with plugin 277829 (Fedora Security Update for drupal8 (FEDORA-2019-1a3edd7e8a)).

Upgrading to version 2.7.51, 2.8.50, 3.4.26, 4.1.12 or 4.2.7 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at SecurityFocus (BID 104943†). The entries VDB-119487, VDB-119502, VDB-119506 and VDB-122590 are pretty similar. If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Name

• Symfony

Version

• 2.7.0
• 2.7.1
• 2.7.2
• 2.7.3
• 2.7.4
• 2.7.5
• 2.7.6
• 2.7.7
• 2.7.8
• 2.7.9
• 2.7.10
• 2.7.11
• 2.7.12
• 2.7.13
• 2.7.14
• 2.7.15
• 2.7.16
• 2.7.17
• 2.7.18
• 2.7.19
• 2.7.20
• 2.7.21
• 2.7.22
• 2.7.23
• 2.7.24
• 2.7.25
• 2.7.26
• 2.7.27
• 2.7.28
• 2.7.29
• 2.7.30
• 2.7.31
• 2.7.32
• 2.7.33
• 2.7.34
• 2.7.35
• 2.7.36
• 2.7.37
• 2.7.38
• 2.7.39
• 2.7.40
• 2.7.41
• 2.7.42
• 2.7.43
• 2.7.44
• 2.7.45
• 2.7.46
• 2.7.47
• 2.7.48
• 2.7.49
• 2.7.50
• 2.8.0
• 2.8.1
• 2.8.2
• 2.8.3
• 2.8.4
• 2.8.5
• 2.8.6
• 2.8.7
• 2.8.8
• 2.8.9
• 2.8.10
• 2.8.11
• 2.8.12
• 2.8.13
• 2.8.14
• 2.8.15
• 2.8.16
• 2.8.17
• 2.8.18
• 2.8.19
• 2.8.20
• 2.8.21
• 2.8.22
• 2.8.23
• 2.8.24
• 2.8.25
• 2.8.26
• 2.8.27
• 2.8.28
• 2.8.29
• 2.8.30
• 2.8.31
• 2.8.32
• 2.8.33
• 2.8.34
• 2.8.35
• 2.8.36
• 2.8.37
• 2.8.38
• 2.8.39
• 2.8.40
• 2.8.41
• 2.8.42
• 2.8.43
• 2.8.44
• 2.8.45
• 2.8.46
• 2.8.47
• 2.8.48
• 2.8.49
• 3.4.0
• 3.4.1
• 3.4.2
• 3.4.3
• 3.4.4
• 3.4.5
• 3.4.6
• 3.4.7
• 3.4.8
• 3.4.9
• 3.4.10
• 3.4.11
• 3.4.12
• 3.4.13
• 3.4.14
• 3.4.15
• 3.4.16
• 3.4.17
• 3.4.18
• 3.4.19
• 3.4.20
• 3.4.21
• 3.4.22
• 3.4.23
• 3.4.24
• 3.4.25
• 4.1.0
• 4.1.1
• 4.1.2
• 4.1.3
• 4.1.4
• 4.1.5
• 4.1.6
• 4.1.7
• 4.1.8
• 4.1.9
• 4.1.10
• 4.1.11
• 4.2.0
• 4.2.1
• 4.2.2
• 4.2.3
• 4.2.4
• 4.2.5
• 4.2.6

License

• open-source

Website

• Product: https://github.com/symfony/symfony/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion