CVE-2016-2403
CRITICAL9.8EPSS 0.15%symfony - security update
Published: 5/14/2022Modified: 5/27/2026
Description
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
Affected packages (5)
- Debian/symfonyfrom 0, < 2.8.6+dfsg-1
- Debian/symfonyfrom 0, < 2.8.7+dfsg-1.3+deb9u1
- Packagist/symfony/security>= 2.8.0, < 2.8.6
- Packagist/symfony/security-core>= 2.8.0, < 2.8.6
- Packagist/symfony/symfony>= 2.8.0, < 2.8.6
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-2403
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-2403
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-core/CVE-2016-2403.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2016-2403.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2016-2403.yaml
- WEBhttps://symfony.com/cve-2016-2403
- WEBhttps://web.archive.org/web/20210123224944/http://www.securityfocus.com/bid/96137
- WEBhttps://www.debian.org/security/2018/dsa-4262
- WEBhttp://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password