CVE-2019-16768

05.12.2019, 20:15

In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	3.5 LOW	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
GitHub_M	CNA	3.5 LOW	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 56%

Vendor	Product	Version
sylius	sylius	𝑥 < 1.3.14
sylius	sylius	1.4.0 ≤ 𝑥 < 1.4.10
sylius	sylius	1.5.0 ≤ 𝑥 < 1.5.7
sylius	sylius	1.6.0 ≤ 𝑥 < 1.6.3

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-209 - Generation of Error Message Containing Sensitive Information
The software generates an error message that includes sensitive information about its environment, users, or associated data.

References

https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f

https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h

https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f

https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h