6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16652

CVE-2017-16652: Symfony Open Redirect

An issue was discovered in Symfony 2.7.x before 2.7.38, 2.8.x before 2.8.31, 3.2.x before 3.2.14, and 3.3.x before 3.3.13. DefaultAuthenticationSuccessHandler or DefaultAuthenticationFailureHandler takes the content of the _target_path parameter and generates a redirect response, but no check is performed on the path, which could be an absolute URL to an external domain. This Open redirect vulnerability can be exploited for example to mount effective phishing attacks.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2017-16652

CVE-2017-16652:

6.1

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.7.0, < 2.7.38	2.7.38
symfony/symfony	composer	>= 2.8.0, < 2.8.31	2.8.31
symfony/symfony	composer	>= 3.2.0, < 3.2.14	3.2.14
symfony/symfony	composer	>= 3.3.0, < 3.3.13	3.3.13
symfony/security-http	composer	>= 2.7.0, < 2.7.38	2.7.38
symfony/security-http	composer	>= 2.8.0, < 2.8.31	2.8.31
symfony/security-http	composer	>= 3.2.0, < 3.2.14	3.2.14
symfony/security-http	composer	>= 3.3.0, < 3.3.13	3.3.13
symfony/security	composer	>= 2.7.0, < 2.7.38	2.7.38
symfony/security	composer	>= 2.8.0, < 2.8.31	2.8.31
symfony/security	composer	>= 3.2.0, < 3.2.14	3.2.14
symfony/security	composer	>= 3.3.0, < 3.3.13	3.3.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly names DefaultAuthenticationSuccessHandler and DefaultAuthenticationFailureHandler as the components that improperly handled _target_path parameters. Both handlers' determineTargetUrl methods would be responsible for processing this parameter and generating redirects. The lack of validation for absolute URLs to external domains in these methods directly enables the open redirect vulnerability. The functions are clearly identified in Symfony's security advisory and CVE description as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2017-16652: Symfony Open Redirect

CVE-2017-16652:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2017-16652: Symfony Open Redirect

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.1

6.1

Technical Details

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI