{"id":"CVE-2016-2403","details":"Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.","aliases":["GHSA-wvj5-r78r-hhfq"],"modified":"2026-04-11T15:23:22.497486Z","published":"2017-02-07T17:59:00.303Z","references":[{"type":"ADVISORY","url":"http://symfony.com/blog/cve-2016-2403-unauthorized-access-on-a-misconfigured-ldap-server-when-using-an-empty-password"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/96137"},{"type":"ADVISORY","url":"https://www.debian.org/security/2018/dsa-4262"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"0"},{"last_affected":"5615b92cd452cd54f1433a3f53de87c096a1107f"},{"last_affected":"8956ed50a44c5c4e02f2176c0773e24487477b09"},{"last_affected":"f3e6a82bcbea4db3b56df08e491e20a1faae82b5"},{"last_affected":"7a9a5fce7ce6e448e527f635463dda00761e12c2"},{"last_affected":"9e14f9f4869c19188a376eab61d9a1c1f1fee347"},{"last_affected":"39ddd2383f4113cf67f8b28cde2c9d3fa340c3c2"},{"last_affected":"eb2a4f5f7a09fc4ce7a74ae883a8cf8a279614f5"},{"last_affected":"979d7323716fec847508eac3e62d59b117612a6e"},{"last_affected":"18c3d4f356931a5b6a4afb0cc679a2c58931c795"},{"last_affected":"09ae53562ce8b7842206efa217ec81442975f055"},{"last_affected":"4e17cb2ecb3fd637097ebeb871fc0e2cbdd5e7ff"},{"last_affected":"10c83b58fbb42be516377de54962a758695ad964"}],"database_specific":{"source":"CPE_FIELD","cpe":["cpe:2.3:a:sensiolabs:symfony:2.8.0:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.1:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.2:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.3:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.4:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.5:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.1:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.2:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.4:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.5:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"2.8.0"},{"last_affected":"2.8.1"},{"last_affected":"2.8.2"},{"last_affected":"2.8.3"},{"last_affected":"2.8.4"},{"last_affected":"2.8.5"},{"last_affected":"3.0.0"},{"last_affected":"3.0.1"},{"last_affected":"3.0.2"},{"last_affected":"3.0.3"},{"last_affected":"3.0.4"},{"last_affected":"3.0.5"}]}}],"versions":["v2.0.0","v2.0.0-RC1","v2.0.0-RC2","v2.0.0-RC3","v2.0.0-RC4","v2.0.0-RC5","v2.0.0-RC6","v2.0.0BETA1","v2.0.0BETA2","v2.0.0BETA3","v2.0.0BETA4","v2.0.0BETA5","v2.0.0PR8","v2.1.0","v2.1.0-BETA1","v2.1.0-BETA2","v2.1.0-BETA3","v2.1.0-BETA4","v2.1.0-RC1","v2.1.0-RC2","v2.2.0-BETA1","v2.2.0-BETA2","v2.3.0-BETA1","v2.3.0-BETA2","v2.4.0-BETA1","v2.4.0-BETA2","v2.5.0-BETA1","v2.5.0-BETA2","v2.6.0-BETA1","v2.8.0","v2.8.0-BETA1","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v3.0.0","v3.0.0-BETA1","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","vPR3","vPR4","vPR5","vPR6","vPR8","vPR9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-2403.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}