#VU39726 Improper Authentication in Symfony - CVE-2016-2403
Published: February 7, 2017 / Updated: August 8, 2020
Vulnerability identifier: #VU39726
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-2403
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Symfony
Symfony
Software vendor:
SensioLabs
SensioLabs
Description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
Remediation
Install update from vendor's website.