Main Vulnerability Database Vulnerabilities #VU39726

Improper Authentication in Symfony - CVE-2016-2403

Published: February 7, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU39726

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2016-2403

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: SensioLabs

Affected software:
Symfony

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

How to mitigate CVE-2016-2403

Install update from vendor's website.

Sources

http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
http://www.securityfocus.com/bid/96137
https://www.debian.org/security/2018/dsa-4262

Improper Authentication in Symfony - CVE-2016-2403

Detailed vulnerability description

How to mitigate CVE-2016-2403

Sources

Please verify you're human