Candidate: CVE-2019-18886
PublicDate: 2019-11-21 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18886
 https://symfony.com/blog/cve-2019-18886-prevent-user-enumeration-using-switch-user-functionality
 https://github.com/symfony/symfony/commit/7bd4a92fc9cc15d9a9fbb9eb1041e01b977f8332
Description:
 An issue was discovered in Symfony 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. The
 ability to enumerate users was possible due to different handling depending
 on whether the user existed when making unauthorized attempts to use the
 switch users functionality. This is related to symfony/security.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N [5.3 MEDIUM]


Patches_symfony:
upstream_symfony: released (4.3.8+dfsg-1)
precise/esm_symfony: DNE
trusty_symfony: ignored (out of standard support)
trusty/esm_symfony: DNE
xenial_symfony: ignored (end of standard support, was needs-triage)
bionic_symfony: not-affected (code not present)
disco_symfony: ignored (reached end-of-life)
eoan_symfony: ignored (reached end-of-life)
focal_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
groovy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
hirsute_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
impish_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
jammy_symfony: not-affected (4.3.8+dfsg-1ubuntu1)
devel_symfony: not-affected (4.3.8+dfsg-1ubuntu1)