Vulnerability Description
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sensiolabs | Symfony | >= 4.2.0, <= 4.2.11 |
Related Weaknesses (CWE)
References
- https://github.com/symfony/symfony/releases/tag/v4.3.8Release Notes
- https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-usVendor Advisory
- https://symfony.com/blog/symfony-4-3-8-releasedRelease Notes
- https://github.com/symfony/symfony/releases/tag/v4.3.8Release Notes
- https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-usVendor Advisory
- https://symfony.com/blog/symfony-4-3-8-releasedRelease Notes
FAQ
What is CVE-2019-18886?
CVE-2019-18886 is a vulnerability with a CVSS score of 5.3 (MEDIUM). An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthori...
How severe is CVE-2019-18886?
CVE-2019-18886 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-18886?
Check the references section above for vendor advisories and patch information. Affected products include: Sensiolabs Symfony.