CVE-2018-11408
Published: 13 June 2018
The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.
Priority
Low
CVSS 3 base score: 6.1
Status
| Package | Release | Status |
|---|---|---|
|
symfony Launchpad, Ubuntu, Debian |
Upstream |
Released
(3.4.12+dfsg-1)
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(3.4.15+dfsg-2ubuntu4)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Does not exist
|
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11408
- https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
- NVD
- Launchpad
- Debian