CVE-2016-2403 — symfony - security update

Description

Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.

How to fix CVE-2016-2403

To remediate CVE-2016-2403, upgrade the affected package to a fixed version below.

Debian/symfony—upgrade to 2.8.6+dfsg-1 or later
—upgrade to 2.8.7+dfsg-1.3+deb9u1 or later
—upgrade to 2.8.6 or later
—upgrade to 2.8.6 or later
—upgrade to 2.8.6 or later

Is CVE-2016-2403 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

from 0, < 2.8.6+dfsg-1
from 0, < 2.8.7+dfsg-1.3+deb9u1
>= 2.8.0, < 2.8.6
>= 2.8.0, < 2.8.6
>= 2.8.0, < 2.8.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-2403
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2016-2403
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2016-2403.yaml
WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2016-2403.yaml