#VU22930 Improper control of interaction frequency in Symfony - CVE-2019-18886

Cybersecurity Help s.r.o.

Published: 2019-11-22

Vulnerability identifier: #VU22930

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-18886

CWE-ID: CWE-799

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Symfony
Web applications / CMS

Vendor: SensioLabs

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the target system.

The vulnerability exists in the "Security/Http" component due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. A remote attacker can enumerate users on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Symfony: 4.2.0 - 4.3.7

External links
https://github.com/symfony/symfony/releases/tag/v4.3.8
https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
https://symfony.com/blog/symfony-4-3-8-released

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Symfony