Main Vulnerability Database Vulnerabilities #VU31284

#VU31284 Improper Authentication in Symfony - CVE-2018-11407

Published: June 13, 2018 / Updated: July 17, 2020

Vulnerability identifier: #VU31284

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-11407

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Symfony

Software vendor:
SensioLabs

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

An issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.

Remediation

Install update from vendor's website.

External links

https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password

#VU31284 Improper Authentication in Symfony - CVE-2018-11407

Description

Remediation

External links

Please verify you're human