New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cve-2021-21424に関する調査 #5041

Closed

chihiro-adachi opened this issue May 13, 2021 · 1 comment

Labels

security

Milestone

Contributor

chihiro-adachi commented May 13, 2021 •

edited

概要(Overview)

以下の脆弱性に関する調査内容です
https://symfony.com/blog/cve-2021-21424-prevent-user-enumeration-in-authentication-mechanisms

該当コンポーネントを利用していた場合、ユーザ名の推測が可能になる脆弱性
Symfonyのセキュリティコンポーネントの更新で解消可能

影響範囲

本体では該当コンポーネントを利用していないので対象外
APIプラグインで、OAuth2Bandle経由で利用している可能性あり
- ただし、ユーザ名の推測まで実行可能かどうかは不明(要調査)

環境 (environment)

EC-CUBE: 4.0.x / 3.0.x
PHP: 7.x.x
DB:
- PostgreSQL x.x.x
- MySQL x.x.x

関連情報 (Ref)

okazy added this to the 4.0.x milestone

okazy mentioned this issue

Bump symfony/security from 3.4.42 to 3.4.48 #5042

Merged

Contributor Author

chihiro-adachi commented May 27, 2021

#5048 にて更新

chihiro-adachi added the security label

matsuoshi closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment