gsd-2017-11365
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2017-11365",
    "description": "Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.",
    "id": "GSD-2017-11365"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-11365"
      ],
      "details": "Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.",
      "id": "GSD-2017-11365",
      "modified": "2023-12-13T01:21:15.694576Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-11365",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/symfony/symfony/pull/23507",
            "refsource": "MISC",
            "url": "https://github.com/symfony/symfony/pull/23507"
          },
          {
            "name": "https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f",
            "refsource": "MISC",
            "url": "https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.7.30,\u003c2.7.32||\u003e=2.8.23,\u003c2.8.25||\u003e=3.2.10,\u003c3.2.12||\u003e=3.3.3,\u003c3.3.5",
          "affected_versions": "All versions starting from 2.7.30 before 2.7.32, all versions starting from 2.8.23 before 2.8.25, all versions starting from 3.2.10 before 3.2.12, all versions starting from 3.3.3 before 3.3.5",
          "credit": "Christian Flothmann",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-284",
            "CWE-937"
          ],
          "date": "2019-05-24",
          "description": "Validating a user password with a `UserPassword` constraint but with no `NotBlank` constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a `NotBlank` constraint, but as it worked before without, it\u0027s considered as a backward compatibility break and a security issue.",
          "fixed_versions": [
            "v2.7.32",
            "v2.8.25",
            "v3.2.12",
            "v3.3.5"
          ],
          "identifier": "CVE-2017-11365",
          "identifiers": [
            "CVE-2017-11365"
          ],
          "not_impacted": "All versions before 2.7.30, all versions starting from 2.7.32 before 2.8.23, all versions starting from 2.8.25 before 3.2.10, all versions starting from 3.2.12 before 3.3.3, all versions starting from 3.3.5",
          "package_slug": "packagist/symfony/security-core",
          "pubdate": "2019-05-23",
          "solution": "Upgrade to versions v2.7.32, v2.8.25, v3.2.12, v3.3.5 or above.",
          "title": "Empty passwords validation issue",
          "urls": [
            "https://github.com/symfony/symfony/pull/23507",
            "https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue"
          ],
          "uuid": "1ef692fb-b781-4d3a-8f69-7bb7375769d2"
        },
        {
          "affected_range": "\u003e=2.7.30,\u003c2.7.32||\u003e=2.8.23,\u003c2.8.25||\u003e=3.2.10,\u003c3.2.12||\u003e=3.3.3,\u003c3.3.5",
          "affected_versions": "All versions starting from 2.7.30 before 2.7.32, all versions starting from 2.8.23 before 2.8.25, all versions starting from 3.2.10 before 3.2.12, all versions starting from 3.3.3 before 3.3.5",
          "credit": "Christian Flothmann",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-284",
            "CWE-937"
          ],
          "date": "2019-05-24",
          "description": "Validating a user password with a `UserPassword` constraint but with no `NotBlank` constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a `NotBlank` constraint, but as it worked before without, it\u0027s considered as a backward compatibility break and a security issue.",
          "fixed_versions": [
            "v2.7.32",
            "v2.8.25",
            "v3.2.12",
            "v3.3.5"
          ],
          "identifier": "CVE-2017-11365",
          "identifiers": [
            "CVE-2017-11365"
          ],
          "not_impacted": "All versions before 2.7.30, all versions starting from 2.7.32 before 2.8.23, all versions starting from 2.8.25 before 3.2.10, all versions starting from 3.2.12 before 3.3.3, all versions starting from 3.3.5",
          "package_slug": "packagist/symfony/security",
          "pubdate": "2019-05-23",
          "solution": "Upgrade to versions v2.7.32, v2.8.25, v3.2.12, v3.3.5 or above.",
          "title": "Empty passwords validation issue",
          "urls": [
            "https://github.com/symfony/symfony/pull/23507",
            "https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue"
          ],
          "uuid": "961ed5f8-7010-4d24-b96f-ad5df6e6ac2f"
        },
        {
          "affected_range": "\u003e=2.7.30,\u003c2.7.32||\u003e=2.8.23,\u003c2.8.25||\u003e=3.2.10,\u003c3.2.12||\u003e=3.3.3,\u003c3.3.5",
          "affected_versions": "All versions starting from 2.7.30 before 2.7.32, all versions starting from 2.8.23 before 2.8.25, all versions starting from 3.2.10 before 3.2.12, all versions starting from 3.3.3 before 3.3.5",
          "credit": "Christian Flothmann",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-284",
            "CWE-937"
          ],
          "date": "2019-05-24",
          "description": "Validating a user password with a `UserPassword` constraint but with no `NotBlank` constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a `NotBlank` constraint, but as it worked before without, it\u0027s considered as a backward compatibility break and a security issue.",
          "fixed_versions": [
            "v2.7.32",
            "v2.8.25",
            "v3.2.12",
            "v3.3.5"
          ],
          "identifier": "CVE-2017-11365",
          "identifiers": [
            "CVE-2017-11365"
          ],
          "not_impacted": "All versions before 2.7.30, all versions starting from 2.7.32 before 2.8.23, all versions starting from 2.8.25 before 3.2.10, all versions starting from 3.2.12 before 3.3.3, all versions starting from 3.3.5",
          "package_slug": "packagist/symfony/symfony",
          "pubdate": "2019-05-23",
          "solution": "Upgrade to versions v2.7.32, v2.8.25, v3.2.12, v3.3.5 or above.",
          "title": "Empty passwords validation issue",
          "urls": [
            "https://github.com/symfony/symfony/pull/23507",
            "https://symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue"
          ],
          "uuid": "47323433-af04-41a8-8785-e0b0218825b6"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sensiolabs:symfony:2.7.30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sensiolabs:symfony:2.8.23:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sensiolabs:symfony:3.3.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:sensiolabs:symfony:3.2.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-11365"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-284"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/symfony/symfony/pull/23507",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/symfony/symfony/pull/23507"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/symfony/symfony/commit/878198cefae028386c6dc800ccbf18f2b9cbff3f"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2019-05-24T19:35Z",
      "publishedDate": "2019-05-23T18:29Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.


Loading…

Loading…