CVE-2019-16768 - OpenCVE

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Sylius	Sylius

Configuration 1 [-]

OR	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::

References

Link	Resource
https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f	Release Notes
https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h	Mitigation Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2019-12-05T20:00:21

Updated: 2019-12-06T15:13:56

Reserved: 2019-09-24T00:00:00

Link: CVE-2019-16768

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-12-05T20:15:09.997

Modified: 2019-12-17T20:54:26.607

Link: CVE-2019-16768

JSON object: View

Redhat Information

No data.

CWE

CWE-209

{"containers": {"cna": {"affected": [{"product": "Sylius", "vendor": "Sylius", "versions": [{"lessThan": "1.3.14", "status": "affected", "version": "< 1.3.14", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Information Exposure Through an Error Message", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-06T15:13:56", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}], "source": {"advisory": "GHSA-3r8j-pmch-5j2h", "discovery": "UNKNOWN"}, "title": "Internal exception message exposure for login action in Sylius", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2019-16768", "STATE": "PUBLIC", "TITLE": "Internal exception message exposure for login action in Sylius"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Sylius", "version": {"version_data": [{"version_affected": "<", "version_name": "< 1.3.14", "version_value": "1.3.14"}]}}]}, "vendor_name": "Sylius"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209 Information Exposure Through an Error Message"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h", "refsource": "CONFIRM", "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}, {"name": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f", "refsource": "MISC", "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}]}, "source": {"advisory": "GHSA-3r8j-pmch-5j2h", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2019-16768", "datePublished": "2019-12-05T20:00:21", "dateReserved": "2019-09-24T00:00:00", "dateUpdated": "2019-12-06T15:13:56", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "775912B0-A604-4155-AADD-870B1E3F9519", "versionEndExcluding": "1.3.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC5C9FB3-982A-463A-B9D6-E51CC6299DAF", "versionEndExcluding": "1.4.10", "versionStartIncluding": "1.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "76962E39-CE3E-4406-84D3-904127B845B2", "versionEndExcluding": "1.5.7", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "6433D719-0A14-42DA-8F34-4EAEAE6AB71B", "versionEndExcluding": "1.6.3", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3."}, {"lang": "es", "value": "Unos mensajes de excepci\u00f3n de las excepciones internas (como la excepci\u00f3n de la base de datos) est\u00e1n empaquetados por \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException y se propagan por medio del sistema a la Interfaz de Usuario. Por lo tanto, algo de la informaci\u00f3n interna del sistema puede filtrarse y ser visible para el cliente. Un mensaje de comprobaci\u00f3n con los detalles de la excepci\u00f3n ser\u00e1 presentado al usuario cuando uno intentase iniciar sesi\u00f3n en la tienda."}], "id": "CVE-2019-16768", "lastModified": "2019-12-17T20:54:26.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2019-12-05T20:15:09.997", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Secondary"}]}