An issue exists in the Ldap component in Symfony 2.8.x prior to 2.8.37, 3.3.x prior to 3.3.17, 3.4.x prior to 3.4.7, and 4.0.x prior to 4.0.7. It allows remote malicious users to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
sensiolabs symfony |