CVE-2021-21424

MEDIUM

Sensiolabs Symfony < 3.4.48 - Information Disclosure

Title source: rule

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

Exploits (2)

nomisec SCANNER
by moften · poc
https://github.com/moften/Symfony-CVE-Scanner-PoC-
nomisec WORKING POC
by moften · poc
https://github.com/moften/CVE-2021-21424

References (7)

Scores

CVSS v3 5.3
EPSS 0.0027
EPSS Percentile 50.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-200 CWE-203
Status published
Products (10)
fedoraproject/fedora 33
fedoraproject/fedora 34
lexik/jwt-authentication-bundle 2.0.0 - 2.10.7Packagist
sensiolabs/symfony 2.8.0 - 3.4.48
symfony/maker-bundle 1.27.0 - 1.29.2Packagist
symfony/security 5.0.0 - 5.2.8Packagist
symfony/security-core 2.8.0 - 3.4.48Packagist
symfony/security-guard 2.8.0 - 3.4.48Packagist
symfony/security-http 5.1.0 - 5.2.8Packagist
symfony/symfony 2.8.0 - 3.4.49Packagist
Published May 13, 2021
Tracked Since Feb 18, 2026