Vulnerability Description
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sensiolabs | Symfony | >= 2.8.0, < 3.4.48 |
| Fedoraproject | Fedora | 33 |
Related Weaknesses (CWE)
References
- https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f0PatchThird Party Advisory
- https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f0PatchThird Party Advisory
- https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68PatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2021-21424?
CVE-2021-21424 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling dep...
How severe is CVE-2021-21424?
CVE-2021-21424 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-21424?
Check the references section above for vendor advisories and patch information. Affected products include: Sensiolabs Symfony, Fedoraproject Fedora.