CVE-2018-11408

medium

Description

The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

References

https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/

https://lists.fedoraproject.org/archives/list/[email protected]/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/

https://lists.fedoraproject.org/archives/list/[email protected]/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/

https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers

Details

Source: MITRE

Published: 2018-06-13

Updated: 2019-03-13

Type: CWE-601

Risk Information

CVSS v2

Base Score: 5.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

Impact Score: 4.9

Exploitability Score: 8.6

Severity: MEDIUM

CVSS v3

Base Score: 6.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Impact Score: 2.7

Exploitability Score: 2.8

Severity: MEDIUM