PatchSiren cyber security CVE debrief

CVE-2016-2403 Sensiolabs CVE debrief

CVE-2016-2403 is a critical authentication-bypass issue in Symfony. On affected versions, a remote attacker with a valid username could authenticate using an empty password when the application was configured against a misconfigured LDAP server, resulting in an unauthenticated bind and possible full account compromise. NVD rates the issue CVSS 9.8 and maps it to CWE-287.

Vendor: Sensiolabs
Product: CVE-2016-2403
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-07
Original CVE updated: 2026-05-13
Advisory published: 2017-02-07
Advisory updated: 2026-05-13

Who should care

Security, platform, and application teams running Symfony-based applications that use LDAP or directory-backed authentication, especially where login endpoints are exposed to the internet. Debian or other downstream package consumers should also verify whether they inherited the affected Symfony versions.

Technical summary

The vulnerability affects Symfony before 2.8.6 and 3.x before 3.0.6. The trigger described in the advisory is a login attempt using a valid username and an empty password against a misconfigured LDAP server, which can lead to an unauthenticated bind. NVD lists vulnerable Symfony CPEs covering 2.8.0 through 2.8.5 and 3.0.0 through 3.0.5, with CVSS v3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-287.

Defensive priority

Immediate. This is a remote, unauthenticated authentication bypass with critical impact, so upgrading or patching should be treated as a top-priority remediation.

Recommended defensive actions

Upgrade Symfony to 2.8.6 or later, or 3.0.6 or later; use a supported maintained release if possible.
Review LDAP and authentication configuration for any behavior that could permit empty passwords, anonymous binds, or unintended fallback authentication.
Audit login logs and authentication telemetry for successful logins with blank passwords or unusual authentication successes from new IPs or user agents.
If exposure is suspected, rotate credentials, invalidate sessions, and review authorization changes performed by potentially bypassed accounts.
Apply downstream vendor security updates where applicable, including Debian security guidance referenced for this CVE.

Evidence notes

This debrief is based on the supplied CVE description, the NVD record, and the listed references. The supplied advisory text explicitly states that Symfony before 2.8.6 and 3.x before 3.0.6 can be bypassed via an empty password and valid username on a misconfigured LDAP server. NVD provides the CVSS vector, CWE-287 mapping, and vulnerable version criteria. No KEV entry was provided in the supplied corpus.

Official resources

CVE-2016-2403 CVE record
CVE.org
CVE-2016-2403 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Vendor Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Source reference
[email protected]

CVE published on 2017-02-07; the NVD record was last modified on 2026-05-13. No KEV listing was provided in the supplied corpus.