CVE-2017-16652
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2017-16652
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 3.4.0+dfsg-1 |
| debian | bullseye | fixed | 3.4.0+dfsg-1 |
| debian | forky | fixed | 3.4.0+dfsg-1 |
| debian | sid | fixed | 3.4.0+dfsg-1 |
| debian | trixie | fixed | 3.4.0+dfsg-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | symfony/symfony | >=2.7.0,<2.7.38 | 2.7.38 |
| Packagist | symfony/symfony | >=2.8.0,<2.8.31 | 2.8.31 |
| Packagist | symfony/symfony | >=3.2.0,<3.2.14 | 3.2.14 |
| Packagist | symfony/symfony | >=3.3.0,<3.3.13 | 3.3.13 |
| Packagist | symfony/security-http | >=2.7.0,<2.7.38 | 2.7.38 |
| Packagist | symfony/security-http | >=2.8.0,<2.8.31 | 2.8.31 |
| Packagist | symfony/security-http | >=3.2.0,<3.2.14 | 3.2.14 |
| Packagist | symfony/security-http | >=3.3.0,<3.3.13 | 3.3.13 |
| Packagist | symfony/security | >=2.7.0,<2.7.38 | 2.7.38 |
| Packagist | symfony/security | >=2.8.0,<2.8.31 | 2.8.31 |
| Packagist | symfony/security | >=3.2.0,<3.2.14 | 3.2.14 |
| Packagist | symfony/security | >=3.3.0,<3.3.13 | 3.3.13 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2017-16652
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2017-16652.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2017-16652.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2017-16652.yaml
- https://github.com/symfony/symfony
- https://lists.debian.org/debian-lts-announce/2019/03/msg00009.html
- https://symfony.com/blog/cve-2017-16652-open-redirect-vulnerability-on-security-handlers
- https://symfony.com/cve-2017-16652
- https://security-tracker.debian.org/tracker/CVE-2017-16652
Verify integrity in audit chain (admin only). AS-IS.