Описание
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| symfony | fixed | 2.8.6+dfsg-1 | package | |
| symfony | not-affected | jessie | package |
Примечания
http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
Original commit incomplete and did not test for 'null' password resulting in
CVE-2018-11407. Complete fix as per
https://github.com/symfony/symfony/pull/26589
https://github.com/symfony/symfony/commit/2f5bd18d82f4a8911d549d14c72bf935602834a9
Связанные уязвимости
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
Уязвимость программной платформы для разработки и управления веб-приложениями Symfony, связанная с ошибками обработки авторизационных данных пользователей, позволяющая нарушителю обойти процедуру аутентификации