What is CVE-2021-21424?

CVE-2021-21424 is a vulnerability in Symfony, a PHP framework for web and console applications, that allows user enumeration via response content in authentication mechanisms.

What is the severity of CVE-2021-21424?

The severity of CVE-2021-21424 is medium, with a severity value of 5.3.

Which versions of Symfony are affected by CVE-2021-21424?

The versions of Symfony affected by CVE-2021-21424 are between 2.8.0 and 3.4.48, between 4.0.0 and 4.4.23, and between 5.0.0 and 5.2.8.

How can I fix CVE-2021-21424?

To fix CVE-2021-21424, upgrade Symfony to a version that is not affected, such as 3.4.49, 4.4.24, or 5.2.9.

Where can I find more information about CVE-2021-21424?

You can find more information about CVE-2021-21424 on the Symfony website and the GitHub pages for the Symfony project and security advisories.

Vulnerability/
CVE-2021-21424

medium

5.3

CWE

200 203

12/5/2021

13/5/2021

3/8/2024

CVE-2021-21424: Prevent user enumeration using Guard or the new Authenticator-based Security

First published: Wed May 12 2021(Updated: )

CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
composer/symfony/symfony	>=2.8.0<3.0.0>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.49>=4.0.0<4.1.0>=4.1.0<4.2.0>=4.2.0<4.3.0>=4.3.0<4.4.0>=4.4.0<4.4.24>=5.0.0<5.1.0>=5.1.0<5.2.0>=5.2.0<5.2.9
composer/lexik/jwt-authentication-bundle	>=2.0.0<2.1.0>=2.1.0<2.2.0>=2.2.0<2.3.0>=2.3.0<2.4.0>=2.4.0<2.5.0>=2.5.0<2.6.0>=2.6.0<2.7.0>=2.7.0<2.8.0>=2.8.0<2.9.0>=2.9.0<2.10.0>=2.10.0<2.10.7>=2.11.0<2.11.3
composer/symfony/security	>=2.8.0<3.0.0>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.49>=4.0.0<4.1.0>=4.1.0<4.2.0>=4.2.0<4.3.0>=4.3.0<4.4.0>=4.4.0<4.4.24
composer/symfony/security-core	>=2.8.0<3.0.0>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.49>=4.0.0<4.1.0>=4.1.0<4.2.0>=4.2.0<4.3.0>=4.3.0<4.4.0>=4.4.0<4.4.24>=5.0.0<5.1.0>=5.1.0<5.2.0>=5.2.0<5.2.9
composer/symfony/security-guard	>=2.8.0<3.0.0>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.4.0>=3.4.0<3.4.48>=4.0.0<4.1.0>=4.1.0<4.2.0>=4.2.0<4.3.0>=4.3.0<4.4.0>=4.4.0<4.4.23>=5.0.0<5.1.0>=5.1.0<5.2.0>=5.2.0<5.2.8
composer/symfony/maker-bundle	>=1.27.0<1.28.0>=1.28.0<1.29.0>=1.29.0<1.29.2>=1.30.0<1.31.0>=1.31.0<1.31.1
composer/symfony/security-http	>=5.1.0<5.2.0>=5.2.0<5.2.8
SensioLabs Symfony	>=2.8.0<3.4.48
SensioLabs Symfony	>=4.0.0<4.4.23
SensioLabs Symfony	>=5.0.0<5.2.8
Fedoraproject Fedora	=33
Fedoraproject Fedora	=34
composer/symfony/symfony	>=5.0.0<5.2.9	5.2.9
composer/symfony/symfony	>=4.0.0<4.4.24	4.4.24
composer/symfony/symfony	>=2.8.0<3.4.49	3.4.49
composer/symfony/security	>=4.0.0<4.4.24	4.4.24
composer/symfony/security	>=2.8.0<3.4.49	3.4.49
composer/symfony/security-http	>=5.1.0<5.2.8	5.2.8
composer/symfony/maker-bundle	>=1.30.0<1.31.1	1.31.1
composer/symfony/maker-bundle	>=1.27.0<1.29.2	1.29.2
composer/lexik/jwt-authentication-bundle	>=2.11.0<2.11.3	2.11.3
composer/lexik/jwt-authentication-bundle	>=2.0.0<2.10.7	2.10.7
composer/symfony/security-core	>=5.0.0<5.2.8	5.2.8
composer/symfony/security-core	>=4.0.0<4.4.23	4.4.23
composer/symfony/security-core	>=2.8.0<3.4.48	3.4.48
composer/symfony/security-guard	>=5.0.0<5.2.8	5.2.8
composer/symfony/security-guard	>=4.0.0<4.4.23	4.4.23
composer/symfony/security-guard	>=2.8.0<3.4.48	3.4.48
composer/symfony/security	>=5.0.0<5.2.8	5.2.8

Remedy

https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011

Remedy

https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-21424?
CVE-2021-21424 is a vulnerability in Symfony, a PHP framework for web and console applications, that allows user enumeration via response content in authentication mechanisms.
What is the severity of CVE-2021-21424?
The severity of CVE-2021-21424 is medium, with a severity value of 5.3.
Which versions of Symfony are affected by CVE-2021-21424?
The versions of Symfony affected by CVE-2021-21424 are between 2.8.0 and 3.4.48, between 4.0.0 and 4.4.23, and between 5.0.0 and 5.2.8.
How can I fix CVE-2021-21424?
To fix CVE-2021-21424, upgrade Symfony to a version that is not affected, such as 3.4.49, 4.4.24, or 5.2.9.
Where can I find more information about CVE-2021-21424?
You can find more information about CVE-2021-21424 on the Symfony website and the GitHub pages for the Symfony project and security advisories.

collector/friends-of-php
collector/nvd-index
agent/type
agent/first-publish-date
agent/remedy
collector/github-advisory-latest
source/GitHub
alias/GHSA-5pv8-ppvj-4h68
alias/CVE-2021-21424
agent/software-canonical-lookup
agent/weakness
agent/severity
agent/softwarecombine
agent/description
collector/nvd-cve
source/NVD
agent/author
agent/references
collector/github-advisory
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/tags
agent/event
package-manager/composer
vendor/sensiolabs
canonical/sensiolabs symfony
version/sensiolabs symfony/2.8.0
version/sensiolabs symfony/4.0.0
version/sensiolabs symfony/5.0.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/33
version/fedoraproject fedora/34

CVE-2021-21424: Prevent user enumeration using Guard or the new Authenticator-based Security

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-21424?

What is the severity of CVE-2021-21424?

Which versions of Symfony are affected by CVE-2021-21424?

How can I fix CVE-2021-21424?

Where can I find more information about CVE-2021-21424?

Company

Resources

Contact