Описание
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| symfony | fixed | 4.3.8+dfsg-1 | package | |
| symfony | not-affected | buster | package | |
| symfony | not-affected | stretch | package |
Примечания
https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
Introduced by: https://github.com/symfony/symfony/commit/6e6ac9eaeec9e6a6cc0ab003cac3738460542b0a (v4.1.0-BETA1)
Previous versions asserts "the current user is granted to switch" BEFORE
"loading the user" and thus are not affected.
Fixed by: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332 (v4.2.12)
EPSS
Связанные уязвимости
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
User enumeration leak using switch user functionality in Symfony
EPSS