CVE-2019-18886
First published: Wed Nov 13 2019(Updated: )
An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/symfony/security-http | >=4.1.0<4.2.0>=4.2.0<4.2.12>=4.3.0<4.3.8 | |
| composer/symfony/symfony | >=4.1.0<4.2.0>=4.2.0<4.2.12>=4.3.0<4.3.8 | |
| SensioLabs Symfony | >=4.2.0<=4.2.11 | |
| SensioLabs Symfony | >=4.3.0<=4.3.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-18886?
CVE-2019-18886 is a vulnerability that allows user enumeration using the switch user functionality in Symfony versions 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7.
What is the severity of CVE-2019-18886?
The severity of CVE-2019-18886 is medium with a CVSS score of 5.3.
How does CVE-2019-18886 affect Symfony?
CVE-2019-18886 affects Symfony versions 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7.
How can I fix CVE-2019-18886?
To fix CVE-2019-18886, update your Symfony installation to version 4.2.12 or 4.3.8 or later.
Where can I find more information about CVE-2019-18886?
You can find more information about CVE-2019-18886 on the Symfony website.
- collector/friends-of-php
- collector/nvd-index
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/event
- agent/description
- agent/tags
- package-manager/composer
- vendor/sensiolabs
- canonical/sensiolabs symfony
- version/sensiolabs symfony/4.2.0
- version/sensiolabs symfony/4.2.11
- version/sensiolabs symfony/4.3.0
- version/sensiolabs symfony/4.3.7