The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Symfony, Drupal: privilege escalation via the "remember me" cookie

Synthesis of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Severity of this announce: 2/4.
Creation date: 18/04/2019.
Références of this computer vulnerability: CERTFR-2019-AVI-180, CVE-2019-10911, DLA-1778-1, DRUPAL-SA-CORE-2019-005, DRUPAL-SA-CORE-2019-006, DSA-4441-1, FEDORA-2019-2a7f472198, FEDORA-2019-32067d8b15, FEDORA-2019-3ee6a7adf2, FEDORA-2019-a3ca65028c, FEDORA-2019-f8db687840, ibm10882578, ibm10882596, ibm10882756, ibm10882762, ibm10882952, ibm10882956, Synology-SA-19:19, VIGILANCE-VUL-29065.

Description of the vulnerability

An attacker can bypass restrictions via the "remember me" cookie of Symfony or Drupal, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

This computer threat note impacts software or systems such as Debian, Drupal Core, Fedora, IBM API Connect, Symfony, Synology DSM.

Our Vigil@nce team determined that the severity of this weakness alert is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this computer weakness note.

Solutions for this threat

Symfony: version 4.2.7.
The version 4.2.7 is fixed:
  https://symfony.com/download

Symfony: version 4.1.12.
The version 4.1.12 is fixed:
  https://symfony.com/download

Symfony: version 3.4.26.
The version 3.4.26 is fixed:
  https://symfony.com/download

Symfony: version 2.8.50.
The version 2.8.50 is fixed:
  https://symfony.com/download

Symfony: version 2.7.51.
The version 2.7.51 is fixed:
  https://symfony.com/download

Debian 8: new symfony packages.
New packages are available:
  Debian 8: symfony 2.3.21+dfsg-4+deb8u5

Debian 9: new symfony packages.
New packages are available:
  Debian 9: symfony 2.8.7+dfsg-1.3+deb9u2

Drupal Core: version 8.5.15.
The version 8.5.15 is fixed:
  https://www.drupal.org/project/drupal

Drupal Core: version 8.6.15.
The version 8.6.15 is fixed:
  https://www.drupal.org/project/drupal

Fedora: new php-symfony packages.
New packages are available:
  Fedora 28: php-symfony 2.8.51-1.fc28, php-symfony3 3.4.26-1.fc28
  Fedora 29: php-symfony 2.8.51-1.fc29, php-symfony3 3.4.26-1.fc29, php-symfony4 4.1.12-1.fc29

IBM API Connect: patch for Drupal.
A patch is available:
   IBM API Connect V5.0.0.0-5.0.8.6: http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.5&platform=All&function=fixId&fixids=5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319.ova%3A67094276418854,5.0.8.6-iFix-APIConnect-Portal-Ubuntu16-20190423-2319%3A67094276418854&includeSupersedes=0&source=fc

IBM API Connect: version 2018.4.1.5.
The version 2018.4.1.5 is fixed:
  http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.4&platform=All&function=all&source=fc
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides an application vulnerability workaround. The Vigil@nce vulnerability database contains several thousand vulnerabilities.