CVE-2019-18886

Name	CVE-2019-18886
Description	An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The ability to enumerate users was possible due to different handling depending on whether the user existed when making unauthorized attempts to use the switch users functionality. This is related to symfony/security.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-1999-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
symfony (PTS)	jessie, jessie (lts)	2.3.21+dfsg-4+deb8u6	fixed
	stretch (security)	2.8.7+dfsg-1.3+deb9u3	fixed
	stretch (lts), stretch	2.8.7+dfsg-1.3+deb9u5	fixed
	buster (security), buster, buster (lts)	3.4.22+dfsg-2+deb10u3	fixed
	bullseye	4.4.19+dfsg-2+deb11u6	fixed
	bookworm	5.4.23+dfsg-1+deb12u2	fixed
	bookworm (security)	5.4.23+dfsg-1+deb12u4	fixed
	sid, trixie	6.4.15+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin
symfony	source	wheezy	(unfixed)	end-of-life
symfony	source	jessie	2.3.21+dfsg-4+deb8u6		DLA-1999-1
symfony	source	stretch	(not affected)
symfony	source	buster	(not affected)
symfony	source	(unstable)	4.3.8+dfsg-1

Notes

[buster] - symfony <not-affected> (Vulnerability introduced in 4.1.0)
[stretch] - symfony <not-affected> (Vulnerability introduced in 4.1.0)
https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
Introduced by: https://github.com/symfony/symfony/commit/6e6ac9eaeec9e6a6cc0ab003cac3738460542b0a (v4.1.0-BETA1)
Previous versions asserts "the current user is granted to switch" BEFORE
"loading the user" and thus are not affected.
Fixed by: https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332 (v4.2.12)