CVE-2018-11407

Published: Jun 13, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.

Affected (4)

Products: Sensiolabs: Symfony

Sensiolabs

1 product

Symfony

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Sensiolabs Symfony	From 2.8.0 to 2.8.37
Sensiolabs Symfony	From 3.3.0 to 3.3.17
Sensiolabs Symfony	From 3.4.0 to 3.4.7
Sensiolabs Symfony	From 4.0.0 to 4.0.7

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (2)

https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password

Source: cve@mitre.org

Vendor Advisory

https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.