VDB
CVE-2021-21424
CVE-2021-21424
PUBLISHED
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
EPSS 0.34% · 56.9th percentile
Risk Scores
EPSS Score
0.34%
56.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:20.04:LTS | symfony | *, *, 0 |
| Ubuntu:Pro:18.04:LTS | symfony | 0, 2.8.7+dfsg-1.3ubuntu1, 3.4.3+dfsg-1ubuntu4 |
Exploit Intelligence
- El WebProfiler de Symfony expone rutas internas del servidor si no está deshabilitado en producción (github-poc-repo)
- El WebProfiler de Symfony expone rutas internas del servidor si no está deshabilitado en producción (github-poc-repo)
- El WebProfiler de Symfony expone rutas internas del servidor si no está deshabilitado en producción (github-poc-repo)
- El WebProfiler de Symfony expone rutas internas del servidor si no está deshabilitado en producción (github-poc-repo)
- El WebProfiler de Symfony expone rutas internas del servidor si no está deshabilitado en producción (github-poc-repo)
- El WebProfiler de Symfony expone rutas internas del servidor si no está deshabilitado en producción (github-poc-repo)
- El WebProfiler de Symfony expone rutas internas del servidor si no está deshabilitado en producción (github-poc-repo)
- CVE-2021-21424 - CRLF Injection - CVE-2021-41268 - Host Header Injection - CVE-2022-24894 - WebProfiler abierto - CVE-2019-10909 - Directory Traversal (github-poc-repo)
- CVE-2021-21424 - CRLF Injection - CVE-2021-41268 - Host Header Injection - CVE-2022-24894 - WebProfiler abierto - CVE-2019-10909 - Directory Traversal (github-poc-repo)
- CVE-2021-21424 - CRLF Injection - CVE-2021-41268 - Host Header Injection - CVE-2022-24894 - WebProfiler abierto - CVE-2019-10909 - Directory Traversal (github-poc-repo)
…and 24 more exploits
Timeline
- May 13, 2021 CVE Published
- May 14, 2021 EPSS Score
- Jun 2, 2021 EPSS Score
- Jun 8, 2021 EPSS Score
- Sep 16, 2021 EPSS Score
- Nov 17, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Jan 18, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 21, 2022 EPSS Score
- Jul 23, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-21424 third-party-advisory
- https://symfony.com/blog/cve-2021-21424-prevent-user-enumeration-in-authentication-mechanisms third-party-advisory
- https://github.com/symfony/symfony/commit/f012eee6c6034a94566dff596fe4e16dfc5d9c1f third-party-advisory
- https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011 third-party-advisory
- https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68 third-party-advisory
- https://ubuntu.com/security/notices/USN-5290-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-21424 third-party-advisory