CVE-2017-11365: Empty passwords validation issue

May 23, 2019 (updated May 24, 2019)

Validating a user password with a UserPassword constraint but with no NotBlank constraint passes without any error (the empty password would not be compared with the user password). Note that you should always be explicit and add a NotBlank constraint, but as it worked before without, it’s considered as a backward compatibility break and a security issue.

References

github.com/symfony/symfony/pull/23507
symfony.com/blog/cve-2017-11365-empty-passwords-validation-issue

Detect and mitigate CVE-2017-11365 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →