Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/19200?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/19200?format=api", "vulnerability_id": "VCID-7ms4-3hc6-8bgv", "summary": "Symfony may allow a user to switch to using another user's identity\nSymfony 2.0.6 has just been released. It addresses a security vulnerability in the EntityUserProvider as provided in the Doctrine bridge.\n\nIf you let your users update their login/username from a form, and if you are using Doctrine as a user provider, then you are vulnerable and you should upgrade as soon as possible.\n\nThe issue is that it is possible for a user to switch to another one. Here is how to reproduce it: The current user changes its username via a form to another existing username. When the form is submitted, he will have a validation error (as the username already exists) but the user object in the session will still be modified to the new username. This user from the session will be used for the next requests and so the user will be switched to this other user.\n\nThe fix is to always refresh the user via the primary key (which cannot be updated via a form) instead of the username.\n\nIf you cannot upgrade immediately, please apply the following patch: https://github.com/symfony/symfony/commit/9d2ab9ca9c1762", "aliases": [ { "alias": "GHSA-7mx2-7q8p-pgmw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20121?format=api", "purl": "pkg:composer/symfony/symfony@2.0.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23wm-y6hh-hfd3" }, { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-446x-j2gr-f3a2" }, { "vulnerability": "VCID-4num-z8cg-83gt" }, { "vulnerability": "VCID-556v-rym3-6yax" }, { "vulnerability": "VCID-6cea-up73-y3hn" }, { "vulnerability": "VCID-6z5x-uwjt-uueq" }, { "vulnerability": "VCID-71vh-7wte-kfcx" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-ahhz-bs6u-f3bc" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-bny7-h1nn-bkbc" }, { "vulnerability": "VCID-c8ar-82sr-fqej" }, { "vulnerability": "VCID-d1kp-7aht-9qa2" }, { "vulnerability": "VCID-fgxs-w84s-8kh3" }, { "vulnerability": "VCID-hzwd-mq3r-qfcb" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-jjqk-u4vs-tbba" }, { "vulnerability": "VCID-k37h-bhh2-myaj" }, { "vulnerability": "VCID-k8ze-h7fe-fkg2" }, { "vulnerability": "VCID-kgu6-gj5d-7bfx" }, { "vulnerability": "VCID-neyj-8fkw-fyb7" }, { "vulnerability": "VCID-nsk8-bk5e-tbfh" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-qty4-cyfa-rugw" }, { "vulnerability": "VCID-qwcj-hq3g-2qd7" }, { "vulnerability": "VCID-rgh3-ef8t-k3ec" }, { "vulnerability": "VCID-rxbg-gmn6-kbeq" }, { "vulnerability": "VCID-rztj-ug83-dyga" }, { "vulnerability": "VCID-sfzy-423b-j3b4" }, { "vulnerability": "VCID-skth-cf6d-3ubr" }, { "vulnerability": "VCID-srrc-wxew-1fc6" }, { "vulnerability": "VCID-thtp-ehsj-t3ej" }, { "vulnerability": "VCID-u84h-sr6a-4uc7" }, { "vulnerability": "VCID-unuf-vj1b-qbhr" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" }, { "vulnerability": "VCID-xmur-ps51-myfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.6" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/20036?format=api", "purl": "pkg:composer/symfony/symfony@2.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23wm-y6hh-hfd3" }, { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-446x-j2gr-f3a2" }, { "vulnerability": "VCID-556v-rym3-6yax" }, { "vulnerability": "VCID-6cea-up73-y3hn" }, { "vulnerability": "VCID-6z5x-uwjt-uueq" }, { "vulnerability": "VCID-71vh-7wte-kfcx" }, { "vulnerability": "VCID-742s-vczp-tuh1" }, { "vulnerability": "VCID-7ms4-3hc6-8bgv" }, { "vulnerability": "VCID-ahhz-bs6u-f3bc" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-bny7-h1nn-bkbc" }, { "vulnerability": "VCID-d1kp-7aht-9qa2" }, { "vulnerability": "VCID-fgxs-w84s-8kh3" }, { "vulnerability": "VCID-hzwd-mq3r-qfcb" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-jjqk-u4vs-tbba" }, { "vulnerability": "VCID-k37h-bhh2-myaj" }, { "vulnerability": "VCID-neyj-8fkw-fyb7" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-qty4-cyfa-rugw" }, { "vulnerability": "VCID-rgh3-ef8t-k3ec" }, { "vulnerability": "VCID-rxbg-gmn6-kbeq" }, { "vulnerability": "VCID-rztj-ug83-dyga" }, { "vulnerability": "VCID-sfzy-423b-j3b4" }, { "vulnerability": "VCID-srrc-wxew-1fc6" }, { "vulnerability": "VCID-thtp-ehsj-t3ej" }, { "vulnerability": "VCID-u84h-sr6a-4uc7" }, { "vulnerability": "VCID-unuf-vj1b-qbhr" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" }, { "vulnerability": "VCID-xmur-ps51-myfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/147931?format=api", "purl": "pkg:composer/symfony/symfony@2.0.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23wm-y6hh-hfd3" }, { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-446x-j2gr-f3a2" }, { "vulnerability": "VCID-4num-z8cg-83gt" }, { "vulnerability": "VCID-556v-rym3-6yax" }, { "vulnerability": "VCID-6cea-up73-y3hn" }, { "vulnerability": "VCID-6z5x-uwjt-uueq" }, { "vulnerability": "VCID-71vh-7wte-kfcx" }, { "vulnerability": "VCID-742s-vczp-tuh1" }, { "vulnerability": "VCID-7ms4-3hc6-8bgv" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-ahhz-bs6u-f3bc" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-bny7-h1nn-bkbc" }, { "vulnerability": "VCID-c8ar-82sr-fqej" }, { "vulnerability": "VCID-d1kp-7aht-9qa2" }, { "vulnerability": "VCID-fgxs-w84s-8kh3" }, { "vulnerability": "VCID-hzwd-mq3r-qfcb" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-jjqk-u4vs-tbba" }, { "vulnerability": "VCID-k37h-bhh2-myaj" }, { "vulnerability": "VCID-k8ze-h7fe-fkg2" }, { "vulnerability": "VCID-kgu6-gj5d-7bfx" }, { "vulnerability": "VCID-neyj-8fkw-fyb7" }, { "vulnerability": "VCID-nsk8-bk5e-tbfh" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-qty4-cyfa-rugw" }, { "vulnerability": "VCID-qwcj-hq3g-2qd7" }, { "vulnerability": "VCID-rgh3-ef8t-k3ec" }, { "vulnerability": "VCID-rxbg-gmn6-kbeq" }, { "vulnerability": "VCID-rztj-ug83-dyga" }, { "vulnerability": "VCID-sfzy-423b-j3b4" }, { "vulnerability": "VCID-skth-cf6d-3ubr" }, { "vulnerability": "VCID-srrc-wxew-1fc6" }, { "vulnerability": "VCID-thtp-ehsj-t3ej" }, { "vulnerability": "VCID-u84h-sr6a-4uc7" }, { "vulnerability": "VCID-unuf-vj1b-qbhr" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" }, { "vulnerability": "VCID-xmur-ps51-myfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/147932?format=api", "purl": "pkg:composer/symfony/symfony@2.0.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-23wm-y6hh-hfd3" }, { "vulnerability": "VCID-2hua-7wbd-tqbx" }, { "vulnerability": "VCID-446x-j2gr-f3a2" }, { "vulnerability": "VCID-4num-z8cg-83gt" }, { "vulnerability": "VCID-556v-rym3-6yax" }, { "vulnerability": "VCID-6cea-up73-y3hn" }, { "vulnerability": "VCID-6z5x-uwjt-uueq" }, { "vulnerability": "VCID-71vh-7wte-kfcx" }, { "vulnerability": "VCID-742s-vczp-tuh1" }, { "vulnerability": "VCID-7ms4-3hc6-8bgv" }, { "vulnerability": "VCID-9bzz-84cq-ykh2" }, { "vulnerability": "VCID-ahhz-bs6u-f3bc" }, { "vulnerability": "VCID-bdhj-np35-sybt" }, { "vulnerability": "VCID-bhfu-7788-fbhc" }, { "vulnerability": "VCID-bny7-h1nn-bkbc" }, { "vulnerability": "VCID-c8ar-82sr-fqej" }, { "vulnerability": "VCID-d1kp-7aht-9qa2" }, { "vulnerability": "VCID-fgxs-w84s-8kh3" }, { "vulnerability": "VCID-hzwd-mq3r-qfcb" }, { "vulnerability": "VCID-jdsd-3vnz-uygn" }, { "vulnerability": "VCID-jjqk-u4vs-tbba" }, { "vulnerability": "VCID-k37h-bhh2-myaj" }, { "vulnerability": "VCID-k8ze-h7fe-fkg2" }, { "vulnerability": "VCID-kgu6-gj5d-7bfx" }, { "vulnerability": "VCID-neyj-8fkw-fyb7" }, { "vulnerability": "VCID-nsk8-bk5e-tbfh" }, { "vulnerability": "VCID-p1dw-w76f-gbfv" }, { "vulnerability": "VCID-qty4-cyfa-rugw" }, { "vulnerability": "VCID-qwcj-hq3g-2qd7" }, { "vulnerability": "VCID-rgh3-ef8t-k3ec" }, { "vulnerability": "VCID-rxbg-gmn6-kbeq" }, { "vulnerability": "VCID-rztj-ug83-dyga" }, { "vulnerability": "VCID-sfzy-423b-j3b4" }, { "vulnerability": "VCID-skth-cf6d-3ubr" }, { "vulnerability": "VCID-srrc-wxew-1fc6" }, { "vulnerability": "VCID-thtp-ehsj-t3ej" }, { "vulnerability": "VCID-u84h-sr6a-4uc7" }, { "vulnerability": "VCID-unuf-vj1b-qbhr" }, { "vulnerability": "VCID-wwhm-mrr3-v7h3" }, { "vulnerability": "VCID-xmur-ps51-myfu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/symfony/symfony@2.0.5" } ], "references": [ { "reference_url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/2011-11-16.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/2011-11-16.yaml" }, { "reference_url": "https://github.com/symfony/symfony", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony" }, { "reference_url": "https://github.com/symfony/symfony/commit/9d2ab9ca9c1762", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/symfony/symfony/commit/9d2ab9ca9c1762" }, { "reference_url": "https://symfony.com/blog/security-release-symfony-2-0-6", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://symfony.com/blog/security-release-symfony-2-0-6" }, { "reference_url": "https://github.com/advisories/GHSA-7mx2-7q8p-pgmw", "reference_id": "GHSA-7mx2-7q8p-pgmw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7mx2-7q8p-pgmw" } ], "weaknesses": [ { "cwe_id": 287, "name": "Improper Authentication", "description": "When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "4.0 - 6.9", "exploitability": "0.5", "weighted_severity": "6.2", "risk_score": 3.1, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7ms4-3hc6-8bgv" }