doctrine/doctrine-module zero-valued authentication credentials vulnerability · GHSA-9wv8-3h8h-x2wc · GitHub Advisory Database · GitHub

doctrine/doctrine-module zero-valued authentication credentials vulnerability

Moderate severity GitHub Reviewed Published May 15, 2024 to the GitHub Advisory Database • Updated May 15, 2024

Package

doctrine/doctrine-module (Composer)

Affected versions

< 0.7.2

Patched versions

0.7.2

Description

it is possible (under certain circumstances) to obtain a valid Zend\Authentication identity even without knowing the user's credentials by using a numerically valued credential in DoctrineModule\Authentication\Adapter\ObjectRepository.

References

Published to the GitHub Advisory Database May 15, 2024

Reviewed May 15, 2024

Last updated May 15, 2024

Severity

Moderate

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N