CVE-2019-18886 - Vulnerability Details - OpenCVE

An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sensiolabs	Symfony

Configuration 1 [-]

OR	cpe:2.3:a:sensiolabs:symfony::::::::
	cpe:2.3:a:sensiolabs:symfony::::::::

No data.

References

Link	Providers
https://github.com/symfony/symfony/releases/tag/v4.3.8
https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
https://symfony.com/blog/symfony-4-3-8-released

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-21T17:41:54

Updated: 2024-08-05T02:02:39.808Z

Reserved: 2019-11-12T00:00:00

Link: CVE-2019-18886

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-11-21T18:15:11.820

Modified: 2024-11-21T04:33:46.837

Link: CVE-2019-18886

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-21T17:41:54", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8"}, {"tags": ["x_refsource_MISC"], "url": "https://symfony.com/blog/symfony-4-3-8-released"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18886", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/symfony/symfony/releases/tag/v4.3.8", "refsource": "MISC", "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8"}, {"name": "https://symfony.com/blog/symfony-4-3-8-released", "refsource": "MISC", "url": "https://symfony.com/blog/symfony-4-3-8-released"}, {"name": "https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality", "refsource": "CONFIRM", "url": "https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:02:39.808Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://symfony.com/blog/symfony-4-3-8-released"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18886", "datePublished": "2019-11-21T17:41:54", "dateReserved": "2019-11-12T00:00:00", "dateUpdated": "2024-08-05T02:02:39.808Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1317DFC-16C6-48A6-B792-3A190E552E79", "versionEndIncluding": "4.2.11", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*", "matchCriteriaId": "CAE8AADD-6D19-481A-86D2-9E305ED6F197", "versionEndIncluding": "4.3.7", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security."}, {"lang": "es", "value": "Se detect\u00f3 un problema en Symfony versiones 4.2.0 hasta 4.2.11 y 4.3.0 hasta 4.3.7. La capacidad para enumerar usuarios fue posible debido a un manejo diferente dependiendo de si el usuario exist\u00eda cuando se realizaron intentos no autorizados de utilizar la funcionalidad switch users. Esto est\u00e1 relacionado con Symfony/Security."}], "id": "CVE-2019-18886", "lastModified": "2024-11-21T04:33:46.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-21T18:15:11.820", "references": [{"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://symfony.com/blog/symfony-4-3-8-released"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/symfony/symfony/releases/tag/v4.3.8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://symfony.com/blog/symfony-4-3-8-released"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-203"}], "source": "nvd@nist.gov", "type": "Primary"}]}