#VU18298 Improper authentication in Symfony - CVE-2019-10911


Vulnerability identifier: #VU18298

Vulnerability risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-10911

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Symfony
Web applications / CMS

Vendor: SensioLabs

Description

The disclosed vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to the way application handles values within HTTP cookies, related to session expiration time and username. A remote attacker can modify the remember me cookie value and authenticate as a different user.

This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Symfony: 2.7.0 - 4.2.6

External links
https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for symfony
Fedora 28 update for drupal8
Fedora 30 update for drupal8
Fedora 29 update for drupal8
Fedora 29 update for php-symfony4
Fedora 30 update for php-symfony4
Fedora 28 update for php-symfony3
Fedora 30 update for php-symfony3
Fedora 29 update for php-symfony3
Fedora 29 update for php-symfony