Advisories for Composer/Symfony/Security-Core package

2021

Exposure of Sensitive Information to an Unauthorized Actor

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that s are returned whether the user exists or not if a user cannot switch to a user or if …

2019

Empty passwords validation issue

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it's considered as a backward compatibility break and a security issue.

2018
2017
2016

Cryptographic Issues

The nextBytes function in the SecureRandom class does not properly generate random numbers when used with PHP without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.