Vulnerability Details : CVE-2019-16768
In affected versions of Sylius, exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. This has been patched in versions 1.3.14, 1.4.10, 1.5.7, and 1.6.3.
Products affected by CVE-2019-16768
- cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
- cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
- cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
- cpe:2.3:a:sylius:sylius:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-16768
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 21 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-16768
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
2.8
|
1.4
|
NIST | |
3.5
|
LOW | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
2.1
|
1.4
|
GitHub, Inc. |
CWE ids for CVE-2019-16768
-
The product generates an error message that includes sensitive information about its environment, users, or associated data.Assigned by:
- nvd@nist.gov (Primary)
- security-advisories@github.com (Secondary)
References for CVE-2019-16768
-
https://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f
Generate changelog for v1.3.14 · Sylius/Sylius@be24530 · GitHubRelease Notes
-
https://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h
Internal exception message exposure for login action · Advisory · Sylius/Sylius · GitHubMitigation;Third Party Advisory
Jump to