CVE-2018-11407

NameCVE-2018-11407
DescriptionAn issue was discovered in the Ldap component in Symfony 2.8.x before 2.8.37, 3.3.x before 3.3.17, 3.4.x before 3.4.7, and 4.0.x before 4.0.7. It allows remote attackers to bypass authentication by logging in with a "null" password and valid username, which triggers an unauthenticated bind. NOTE: this issue exists because of an incomplete fix for CVE-2016-2403.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)bullseye4.4.19+dfsg-2+deb11u6fixed
bookworm, bookworm (security)5.4.23+dfsg-1+deb12u4fixed
sid, trixie6.4.17+dfsg-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysourcejessie(not affected)
symfonysourcestretch(not affected)
symfonysource(unstable)3.4.12+dfsg-1

Notes

[stretch] - symfony <not-affected> (Incomplete fix for CVE-2016-2403 not applied)
[jessie] - symfony <not-affected> (Incomplete fix for CVE-2016-2403 not applied)
https://symfony.com/blog/cve-2018-11407-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password
Search for package or bug name: Reporting problems