Prevent user enumeration using Guard or the new Authenticator-based Security

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

信息暴露

Sensio Labs Symfony 信息泄露漏洞

Sensio Labs Symfony是法国Sensio Labs公司的一套免费的、基于MVC架构的PHP开发框架。该框架提供常用的功能组件及工具，可用于快速创建复杂的WEB程序。 Symfony 存在安全漏洞。该漏洞源于应用程序基于应用程序数据库中用户帐户名的存在而返回不同的响应。远程攻击者枚举应用程序用户。以下产品及版本受到影响：Symfony: 3.0.0, 3.0.0-1, 3.0.01, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8

N/A

N/A