Strix
26.1K

CVE-2021-21424

MEDIUMCVSS 5.3/10EPSS 1.71%

Last modified

CVE-2021-21424 is a medium-severity vulnerability rated 5.3/10 on the CVSS scale. Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. EPSS estimates a 1.71% chance of exploitation in the next 30 days.

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.

Metrics

CVSS 3.1
5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS Probability
1.71%

74.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SensiolabsSymfony>= 2.8.0, < 3.4.48
SensiolabsSymfony>= 4.0.0, < 4.4.23
SensiolabsSymfony>= 5.0.0, < 5.2.8
FedoraprojectFedora33
FedoraprojectFedora34

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-21424?
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4.
How severe is CVE-2021-21424?
CVE-2021-21424 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 1.71% probability of exploitation in the next 30 days.
How do I fix CVE-2021-21424?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-21424?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST