CVE Vulnerabilities

CVE-2018-11407

Improper Authentication

Published: Jun 13, 2018 | Modified: Nov 21, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a null password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name Vendor Start Version End Version
Symfony Sensiolabs 2.8.0 (including) 2.8.37 (excluding)
Symfony Sensiolabs 3.3.0 (including) 3.3.17 (excluding)
Symfony Sensiolabs 3.4.0 (including) 3.4.7 (excluding)
Symfony Sensiolabs 4.0.0 (including) 4.0.7 (excluding)
Symfony Ubuntu artful *
Symfony Ubuntu bionic *
Symfony Ubuntu esm-apps/bionic *
Symfony Ubuntu upstream *

Potential Mitigations

References