CVE-2019-16768

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

CVSS v3 4.3 MEDIUM
CVSS v2.0 4.0 MEDIUM

4.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:P/I:N/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f	Release Notes
https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h	Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::

History

No history.

Information

Published : 2019-12-05 20:15

Updated : 2023-12-10 13:13

NVD link : CVE-2019-16768

Mitre link : CVE-2019-16768

CVE.ORG link : CVE-2019-16768

JSON object : View

Products Affected

sylius

sylius

CWE

CWE-209

Generation of Error Message Containing Sensitive Information

{"id": "CVE-2019-16768", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "authentication": "SINGLE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}]}, "published": "2019-12-05T20:15:09.997", "references": [{"url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h", "tags": ["Mitigation", "Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-209"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-209"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3."}, {"lang": "es", "value": "Unos mensajes de excepci\u00f3n de las excepciones internas (como la excepci\u00f3n de la base de datos) est\u00e1n empaquetados por \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException y se propagan por medio del sistema a la Interfaz de Usuario. Por lo tanto, algo de la informaci\u00f3n interna del sistema puede filtrarse y ser visible para el cliente. Un mensaje de comprobaci\u00f3n con los detalles de la excepci\u00f3n ser\u00e1 presentado al usuario cuando uno intentase iniciar sesi\u00f3n en la tienda."}], "lastModified": "2019-12-17T20:54:26.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "775912B0-A604-4155-AADD-870B1E3F9519", "versionEndExcluding": "1.3.14"}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DC5C9FB3-982A-463A-B9D6-E51CC6299DAF", "versionEndExcluding": "1.4.10", "versionStartIncluding": "1.4.0"}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76962E39-CE3E-4406-84D3-904127B845B2", "versionEndExcluding": "1.5.7", "versionStartIncluding": "1.5.0"}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6433D719-0A14-42DA-8F34-4EAEAE6AB71B", "versionEndExcluding": "1.6.3", "versionStartIncluding": "1.6.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}