CVE-2017-16652

Description

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

How to fix CVE-2017-16652

To remediate CVE-2017-16652, upgrade the affected package to a fixed version below.

• —upgrade to 3.4.0+dfsg-1 or later
• —upgrade to 2.3.21+dfsg-4+deb8u4 or later
• —upgrade to 2.7.38 or later
• —upgrade to 2.7.38 or later
• —upgrade to 2.7.38 or later

Is CVE-2017-16652 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 3.4.0+dfsg-1
• from 0, < 2.3.21+dfsg-4+deb8u4
• >= 2.7.0, < 2.7.38
• >= 2.7.0, < 2.7.38
• >= 2.7.0, < 2.7.38

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-16652
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2017-16652
• PATCHgithub.com/symfony/symfony
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16652.yaml