CVE-2016-2403

CRITICAL

Sensiolabs Symfony < 2.8.6 - Authentication Bypass

Title source: rule

Description

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

References (3)

Scores

CVSS v3 9.8
EPSS 0.0015
EPSS Percentile 35.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-287
Status draft

Affected Products (15)

sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
sensiolabs/symfony
symfony/security-core < 2.8.6Packagist
symfony/security < 2.8.6Packagist
symfony/symfony < 2.8.6Packagist

Timeline

Published Feb 07, 2017
Tracked Since Feb 18, 2026