CVE-2019-16768

Internal exception message exposure for login action in Sylius

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

Unos mensajes de excepción de las excepciones internas (como la excepción de la base de datos) están empaquetados por \Symfony\Component\Security\Core\Exception\AuthenticationServiceException y se propagan por medio del sistema a la Interfaz de Usuario. Por lo tanto, algo de la información interna del sistema puede filtrarse y ser visible para el cliente. Un mensaje de comprobación con los detalles de la excepción será presentado al usuario cuando uno intentase iniciar sesión en la tienda.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-09-24 CVE Reserved
2019-12-05 CVE Published
2023-03-08 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-209: Generation of Error Message Containing Sensitive Information

CAPEC

References (2)

URL	Tag	Source
https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f	Release Notes
https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h	Mitigation

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Sylius Search vendor "Sylius"		Sylius Search vendor "Sylius" for product "Sylius"				< 1.3.14 Search vendor "Sylius" for product "Sylius" and version " < 1.3.14"		-		Affected
Sylius Search vendor "Sylius"		Sylius Search vendor "Sylius" for product "Sylius"				>= 1.4.0 < 1.4.10 Search vendor "Sylius" for product "Sylius" and version " >= 1.4.0 < 1.4.10"		-		Affected
Sylius Search vendor "Sylius"		Sylius Search vendor "Sylius" for product "Sylius"				>= 1.5.0 < 1.5.7 Search vendor "Sylius" for product "Sylius" and version " >= 1.5.0 < 1.5.7"		-		Affected
Sylius Search vendor "Sylius"		Sylius Search vendor "Sylius" for product "Sylius"				>= 1.6.0 < 1.6.3 Search vendor "Sylius" for product "Sylius" and version " >= 1.6.0 < 1.6.3"		-		Affected