CVE-2021-21424: Prevent user enumeration in authentication mechanisms

Affected versions¶ Symfony >=2.8.0, <3.4.48 || >= 4.0.0, <4.4.23 || >= 5.0.0, <5.2.8 versions of the Symfony Security, Security Guard, Security Core, and Security HTTP components are affected by this security issue. The issue has been fixed in Symfony 3.4.48, 4.4.23, 5.2.8, and 5.3.0 beta4. All other affected minor versions of Symfony won’t be patched as they are not maintained anymore. Description¶ The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available here for branch 3.4. Credits¶ I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

                Sponsor the Symfony project.

http://feedproxy.google.com/~r/symfony/blog/~3/z8Fe1a3Il98/cve-2021-21424-prevent-user-enumeration-in-authentication-mechanisms

Établi 4y | 12 mai 2021, 14:22:32


Connectez-vous pour ajouter un commentaire

Autres messages de ce groupe

SymfonyOnline June 2025: How Doctrine Events Ruined My Day(s)

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

25 avr. 2025, 13:40:15 | Symfony
Introducing A Streaming AMQP Transport for Symfony Messenger

Symfony's Messenger component makes it easy to build message-driven applications. However, developers using symfony/amqp-messenger have long faced a limitation: it relies on polling (get()), which can

25 avr. 2025, 09:10:02 | Symfony
SymfonyLive Berlin 2025: Recap and Replay !

SymfonyLive Berlin 2025 took place just 3 weeks ago!

A huge thank you to everyone who joined us!🔥 The conference brought together the local Symfony community in the heart of Berlin for two da

24 avr. 2025, 14:30:18 | Symfony
New in Symfony 7.3: Global Translation Parameters

Contributed by Hubert Lenoir in

24 avr. 2025, 07:30:24 | Symfony
SymfonyOnline June 2025: FormFlow: Build Stunning Multistep Forms

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

23 avr. 2025, 15:20:21 | Symfony
New in Symfony 7.3: Assets Pre-Compression

Contributed by Kévin Dunglas in

23 avr. 2025, 08:20:31 | Symfony
SymfonyOnline June 2025: Inside a Financial App Breach: Debugging a Million-Dollar Bug

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

22 avr. 2025, 13:50:03 | Symfony