CVE-2019-16768 - Vulnerability Details - OpenCVE

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Sylius	Sylius

Configuration 1 [-]

OR	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::
	cpe:2.3:a:sylius:sylius::::::::

No data.

References

Link	Providers
https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f
https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2019-12-05T20:00:21

Updated: 2024-08-05T01:24:47.238Z

Reserved: 2019-09-24T00:00:00

Link: CVE-2019-16768

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-12-05T20:15:09.997

Modified: 2024-11-21T04:31:09.083

Link: CVE-2019-16768

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Sylius", "vendor": "Sylius", "versions": [{"lessThan": "1.3.14", "status": "affected", "version": "< 1.3.14", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-209", "description": "CWE-209 Information Exposure Through an Error Message", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2019-12-06T15:13:56", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}], "source": {"advisory": "GHSA-3r8j-pmch-5j2h", "discovery": "UNKNOWN"}, "title": "Internal exception message exposure for login action in Sylius", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2019-16768", "STATE": "PUBLIC", "TITLE": "Internal exception message exposure for login action in Sylius"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Sylius", "version": {"version_data": [{"version_affected": "<", "version_name": "< 1.3.14", "version_value": "1.3.14"}]}}]}, "vendor_name": "Sylius"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-209 Information Exposure Through an Error Message"}]}]}, "references": {"reference_data": [{"name": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h", "refsource": "CONFIRM", "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}, {"name": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f", "refsource": "MISC", "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}]}, "source": {"advisory": "GHSA-3r8j-pmch-5j2h", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:24:47.238Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2019-16768", "datePublished": "2019-12-05T20:00:21", "dateReserved": "2019-09-24T00:00:00", "dateUpdated": "2024-08-05T01:24:47.238Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "775912B0-A604-4155-AADD-870B1E3F9519", "versionEndExcluding": "1.3.14", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "DC5C9FB3-982A-463A-B9D6-E51CC6299DAF", "versionEndExcluding": "1.4.10", "versionStartIncluding": "1.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "76962E39-CE3E-4406-84D3-904127B845B2", "versionEndExcluding": "1.5.7", "versionStartIncluding": "1.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*", "matchCriteriaId": "6433D719-0A14-42DA-8F34-4EAEAE6AB71B", "versionEndExcluding": "1.6.3", "versionStartIncluding": "1.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3."}, {"lang": "es", "value": "Unos mensajes de excepci\u00f3n de las excepciones internas (como la excepci\u00f3n de la base de datos) est\u00e1n empaquetados por \\Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException y se propagan por medio del sistema a la Interfaz de Usuario. Por lo tanto, algo de la informaci\u00f3n interna del sistema puede filtrarse y ser visible para el cliente. Un mensaje de comprobaci\u00f3n con los detalles de la excepci\u00f3n ser\u00e1 presentado al usuario cuando uno intentase iniciar sesi\u00f3n en la tienda."}], "id": "CVE-2019-16768", "lastModified": "2024-11-21T04:31:09.083", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-05T20:15:09.997", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-209"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-209"}], "source": "nvd@nist.gov", "type": "Primary"}]}