CVE-2019-18886
Published: 21 November 2019
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
symfony Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| disco |
Ignored
(end of life)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
| groovy |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
| hirsute |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
| impish |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
| jammy |
Not vulnerable
(4.3.8+dfsg-1ubuntu1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(4.3.8+dfsg-1)
|
|
| xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |