CVE-2021-21424

NameCVE-2021-21424
DescriptionSymfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3493-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)bullseye4.4.19+dfsg-2+deb11u6fixed
bookworm5.4.23+dfsg-1+deb12u2fixed
bookworm (security)5.4.23+dfsg-1+deb12u4fixed
trixie6.4.14+dfsg-1fixed
sid6.4.15+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysourcebuster3.4.22+dfsg-2+deb10u2DLA-3493-1
symfonysource(unstable)4.4.19+dfsg-2

Notes

[stretch] - symfony <postponed> (Minor issue)
https://symfony.com/blog/cve-2021-21424-prevent-user-enumeration-in-authentication-mechanisms
https://github.com/symfony/symfony/commit/f012eee6c6034a94566dff596fe4e16dfc5d9c1f

Search for package or bug name: Reporting problems