Page MenuHomePhabricator
Create Task
Maniphest T284840

wikimedia/eventmetrics has vulnerable dependencies - symfony/security-core, symfony/security-guard (4.4.13)
Closed, ResolvedPublic1 Estimated Story PointsSecurity
Actions

Description

Via php-composer-security-docker:

2 packages have known vulnerabilities.

symfony/security-core (4.4.13)
------------------------------

* [CVE-2021-21424][]: CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

symfony/security-guard (4.4.13)
-------------------------------

* [CVE-2021-21424][]: CVE-2021-21424: Prevent user enumeration via response content in authentication mechanisms

https://symfony.com/cve-2021-21424
https://nvd.nist.gov/vuln/detail/CVE-2021-21424

Details

Impacted
wikimedia/eventmetrics
Risk Rating
Medium
Author Affiliation
WMF Technology Dept

Related Objects

Event Timeline

sbassett created this task.Jun 11 2021, 7:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 11 2021, 7:55 PM
sbassett added a project: Vuln-VulnComponent.Jun 11 2021, 7:57 PM
sbassett changed Impacted from wikimedia/eventmetric to wikimedia/eventmetrics.
Aklapper added a project: Event Metrics.Jun 11 2021, 8:16 PM

Tagging Event Metrics (please set project tags when possible)

sbassett moved this task from Incoming to Watching on the Security-Team board.Jun 14 2021, 3:43 PM
sbassett added a project: SecTeam-Processed.
MusikAnimal claimed this task.Jun 14 2021, 5:54 PM
MusikAnimal edited projects, added Community-Tech (CommTech-Sprint-2); removed Community-Tech.Jun 17 2021, 3:03 PM
MusikAnimal set the point value for this task to 1.

Interesting that GitHub's Dependabot did not report this, nor does Symfony itself. Whenever the Symfony version is out of date due to security concerns, the developer toolbar will show the Symfony version in red. It's still green on v4.4.19.

Anyway this PR bumps Symfony to 4.4.25: https://github.com/wikimedia/eventmetrics/pull/316

MusikAnimal moved this task from Ready 🎬 to Review/Feedback 💬 on the Community-Tech (CommTech-Sprint-2) board.Jun 17 2021, 3:03 PM
MusikAnimal mentioned this in rGEVM80392e39ab19: Bump Symfony core.Jun 17 2021, 3:12 PM
MusikAnimal closed this task as Resolved.Jun 17 2021, 3:32 PM
MusikAnimal moved this task from Review/Feedback 💬 to Done 🏁 on the Community-Tech (CommTech-Sprint-2) board.

Merged and deployed

sbassett triaged this task as Low priority.Jun 17 2021, 3:51 PM
sbassett awarded a token.
sbassett changed the visibility from "Custom Policy" to "Public (No Login Required)".
sbassett changed the edit policy from "Custom Policy" to "All Users".
sbassett moved this task from Backlog to Triaged on the Event Metrics board.
sbassett moved this task from Watching to Our Part Is Done on the Security-Team board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL