CVE-2021-21424

NameCVE-2021-21424
DescriptionSymfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3493-1, ELA-912-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)jessie, jessie (lts)2.3.21+dfsg-4+deb8u6vulnerable
stretch (security)2.8.7+dfsg-1.3+deb9u3vulnerable
stretch (lts), stretch2.8.7+dfsg-1.3+deb9u5fixed
buster (security), buster, buster (lts)3.4.22+dfsg-2+deb10u3fixed
bullseye4.4.19+dfsg-2+deb11u6fixed
bookworm5.4.23+dfsg-1+deb12u2fixed
bookworm (security)5.4.23+dfsg-1+deb12u4fixed
sid, trixie6.4.16+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysourcestretch2.8.7+dfsg-1.3+deb9u4ELA-912-1
symfonysourcebuster3.4.22+dfsg-2+deb10u2DLA-3493-1
symfonysource(unstable)4.4.19+dfsg-2

Notes

[stretch] - symfony <postponed> (Minor issue)
https://symfony.com/blog/cve-2021-21424-prevent-user-enumeration-in-authentication-mechanisms
https://github.com/symfony/symfony/commit/f012eee6c6034a94566dff596fe4e16dfc5d9c1f
[jessie] - symfony <postponed> (Fix along next ELA)

Search for package or bug name: Reporting problems