CVE Vulnerabilities

CVE-2016-2403

Improper Authentication

Published: Feb 07, 2017 | Modified: Aug 06, 2018
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Symfony Sensiolabs 2.8.0 (including) 2.8.0 (including)
Symfony Sensiolabs 2.8.1 (including) 2.8.1 (including)
Symfony Sensiolabs 2.8.2 (including) 2.8.2 (including)
Symfony Sensiolabs 2.8.3 (including) 2.8.3 (including)
Symfony Sensiolabs 2.8.4 (including) 2.8.4 (including)
Symfony Sensiolabs 2.8.5 (including) 2.8.5 (including)
Symfony Sensiolabs 3.0.0 (including) 3.0.0 (including)
Symfony Sensiolabs 3.0.1 (including) 3.0.1 (including)
Symfony Sensiolabs 3.0.2 (including) 3.0.2 (including)
Symfony Sensiolabs 3.0.3 (including) 3.0.3 (including)
Symfony Sensiolabs 3.0.4 (including) 3.0.4 (including)
Symfony Sensiolabs 3.0.5 (including) 3.0.5 (including)
Symfony Ubuntu artful *
Symfony Ubuntu upstream *
Symfony Ubuntu wily *
Symfony Ubuntu yakkety *
Symfony Ubuntu zesty *

Potential Mitigations

References