CVE-2016-2403

Published on: 02/07/2017 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:16 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Symfony from Sensiolabs contain the following vulnerability:

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

  • CVE-2016-2403 has been assigned by URL Logo [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Symfony CVE-2016-2403 Authentication Bypass Vulnerability Third Party Advisory
VDB Entry
cve.report (archive)
text/html
URL Logo BID 96137
CVE-2016-2403: Unauthorized access on a misconfigured Ldap server when using an empty password (Symfony Blog) Vendor Advisory
symfony.com
text/html
URL Logo CONFIRM symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
Debian -- Security Information -- DSA-4262-1 symfony www.debian.org
Depreciated Link
text/html
URL Logo DEBIAN DSA-4262

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationSensiolabsSymfony2.8.0AllAllAll
ApplicationSensiolabsSymfony2.8.1AllAllAll
ApplicationSensiolabsSymfony2.8.2AllAllAll
ApplicationSensiolabsSymfony2.8.3AllAllAll
ApplicationSensiolabsSymfony2.8.4AllAllAll
ApplicationSensiolabsSymfony2.8.5AllAllAll
ApplicationSensiolabsSymfony3.0.0AllAllAll
ApplicationSensiolabsSymfony3.0.1AllAllAll
ApplicationSensiolabsSymfony3.0.2AllAllAll
ApplicationSensiolabsSymfony3.0.3AllAllAll
ApplicationSensiolabsSymfony3.0.4AllAllAll
ApplicationSensiolabsSymfony3.0.5AllAllAll
ApplicationSensiolabsSymfony2.8.0AllAllAll
ApplicationSensiolabsSymfony2.8.1AllAllAll
ApplicationSensiolabsSymfony2.8.2AllAllAll
ApplicationSensiolabsSymfony2.8.3AllAllAll
ApplicationSensiolabsSymfony2.8.4AllAllAll
ApplicationSensiolabsSymfony2.8.5AllAllAll
ApplicationSensiolabsSymfony3.0.0AllAllAll
ApplicationSensiolabsSymfony3.0.1AllAllAll
ApplicationSensiolabsSymfony3.0.2AllAllAll
ApplicationSensiolabsSymfony3.0.3AllAllAll
ApplicationSensiolabsSymfony3.0.4AllAllAll
ApplicationSensiolabsSymfony3.0.5AllAllAll
  • cpe:2.3:a:sensiolabs:symfony:2.8.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:2.8.5:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.1:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.3:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:sensiolabs:symfony:3.0.5:*:*:*:*:*:*:*: