VulnerableCode Package Details - pkg:composer/symfony/security-core@3.3.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-76y9-1jsf-rfez Aliases: CVE-2017-11365 GHSA-q87v-q8fw-gmj5	Empty passwords validation issue Validating a user password with a `UserPassword` constraint but with no `NotBlank` constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a `NotBlank` constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.	3.3.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-dqaj-qmbd-cya1 Aliases: CVE-2018-11407 GHSA-35c5-28pg-2qg4	Improper Authentication An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind.	3.3.17 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.4.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-e71e-d4tr-wqgz Aliases: CVE-2021-21424 GHSA-5pv8-ppvj-4h68	Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.	3.4.48 Affected by 0 other vulnerabilities. 4.4.23 Affected by 0 other vulnerabilities. 5.2.8 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-76y9-1jsf-rfez
Aliases:
CVE-2017-11365
GHSA-q87v-q8fw-gmj5

Empty passwords validation issue Validating a user password with a `UserPassword` constraint but with no `NotBlank` constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a `NotBlank` constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

3.3.5
Affected by 2 other vulnerabilities.

VCID-dqaj-qmbd-cya1
Aliases:
CVE-2018-11407
GHSA-35c5-28pg-2qg4

Improper Authentication An issue was discovered in the Ldap component in Symfony. It allows remote attackers to bypass authentication by logging in with a `null` password and valid username, which triggers an unauthenticated bind.

3.3.17
Affected by 2 other vulnerabilities.

3.4.7
Affected by 1 other vulnerability.

4.0.7
Affected by 1 other vulnerability.

VCID-e71e-d4tr-wqgz
Aliases:
CVE-2021-21424
GHSA-5pv8-ppvj-4h68

Prevent user enumeration using Guard or the new Authenticator-based Security Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. Resolution ---------- We now ensure that 403s are returned whether the user exists or not if the password is invalid or if the user does not exist. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011) for branch 3.4. Credits ------- I would like to thank James Isaac and Mathias Brodala for reporting the issue and Robin Chalas for fixing the issue.

3.4.48
Affected by 0 other vulnerabilities.

4.4.23
Affected by 0 other vulnerabilities.

5.2.8
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T21:22:51.045080+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2021-21424.yml	38.4.0
2026-04-16T20:54:41.898167+00:00	GitLab Importer	Affected by	VCID-76y9-1jsf-rfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2017-11365.yml	38.4.0
2026-04-16T20:45:22.406573+00:00	GitLab Importer	Affected by	VCID-dqaj-qmbd-cya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2018-11407.yml	38.4.0
2026-04-11T22:35:29.104636+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2021-21424.yml	38.3.0
2026-04-11T22:05:40.294918+00:00	GitLab Importer	Affected by	VCID-76y9-1jsf-rfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2017-11365.yml	38.3.0
2026-04-11T21:56:07.822762+00:00	GitLab Importer	Affected by	VCID-dqaj-qmbd-cya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2018-11407.yml	38.3.0
2026-04-02T22:46:33.234529+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2021-21424.yml	38.1.0
2026-04-02T22:18:30.896204+00:00	GitLab Importer	Affected by	VCID-76y9-1jsf-rfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2017-11365.yml	38.1.0
2026-04-02T22:09:33.519697+00:00	GitLab Importer	Affected by	VCID-dqaj-qmbd-cya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2018-11407.yml	38.1.0
2026-04-01T17:04:28.301255+00:00	GitLab Importer	Affected by	VCID-e71e-d4tr-wqgz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2021-21424.yml	38.0.0
2026-04-01T16:36:14.207634+00:00	GitLab Importer	Affected by	VCID-76y9-1jsf-rfez	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2017-11365.yml	38.0.0
2026-04-01T16:26:48.702053+00:00	GitLab Importer	Affected by	VCID-dqaj-qmbd-cya1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/security-core/CVE-2018-11407.yml	38.0.0