{"id":"UBUNTU-CVE-2018-11408","details":"The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container.  NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.","modified":"2025-10-24T04:47:02Z","published":"2018-06-13T16:29:00Z","upstream":["CVE-2018-11408"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-11408"},{"type":"REPORT","url":"https://symfony.com/blog/cve-2018-11408-open-redirect-vulnerability-on-security-handlers"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2018-11408"}],"affected":[{"package":{"name":"symfony","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/symfony@2.7.10-0ubuntu2?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.7.1+dfsg-1","2.7.5+dfsg-1","2.7.9+dfsg-1","2.7.9+dfsg-1ubuntu2","2.7.10-0ubuntu2"],"ecosystem_specific":{"binaries":[{"binary_name":"php-symfony-asset","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-browser-kit","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-class-loader","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-config","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-console","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-css-selector","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-debug","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-debug-bundle","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-dependency-injection","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-doctrine-bridge","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-dom-crawler","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-event-dispatcher","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-expression-language","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-filesystem","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-finder","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-form","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-framework-bundle","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-http-foundation","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-http-kernel","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-intl","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-locale","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-monolog-bridge","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-options-resolver","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-phpunit-bridge","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-process","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-property-access","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-proxy-manager-bridge","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-routing","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-security","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-security-bundle","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-serializer","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-stopwatch","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-swiftmailer-bridge","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-templating","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-translation","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-twig-bridge","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-twig-bundle","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-validator","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-var-dumper","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-web-profiler-bundle","binary_version":"2.7.10-0ubuntu2"},{"binary_name":"php-symfony-yaml","binary_version":"2.7.10-0ubuntu2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-11408.json"}},{"package":{"name":"symfony","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/symfony@3.4.6+dfsg-1ubuntu0.1+esm2?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"}]}],"versions":["2.8.7+dfsg-1.3ubuntu1","3.4.3+dfsg-1ubuntu4","3.4.6+dfsg-1","3.4.6+dfsg-1ubuntu0.1","3.4.6+dfsg-1ubuntu0.1+esm1","3.4.6+dfsg-1ubuntu0.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_name":"php-symfony","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-asset","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-browser-kit","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-cache","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-class-loader","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-config","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-console","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-css-selector","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-debug","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-debug-bundle","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-dependency-injection","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-doctrine-bridge","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-dom-crawler","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-dotenv","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-event-dispatcher","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-expression-language","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-filesystem","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-finder","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-form","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-framework-bundle","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-http-foundation","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-http-kernel","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-inflector","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-intl","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-ldap","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-lock","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-monolog-bridge","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-options-resolver","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-phpunit-bridge","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-process","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-property-access","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-property-info","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-proxy-manager-bridge","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-routing","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-security","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-security-bundle","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-security-core","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-security-csrf","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-security-guard","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-security-http","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-serializer","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-stopwatch","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-templating","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-translation","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-twig-bridge","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-twig-bundle","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-validator","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-var-dumper","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-web-link","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-web-profiler-bundle","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-web-server-bundle","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-workflow","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"},{"binary_name":"php-symfony-yaml","binary_version":"3.4.6+dfsg-1ubuntu0.1+esm2"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2018/UBUNTU-CVE-2018-11408.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"type":"Ubuntu","score":"low"}]}