CVE-2019-16768

Description

## Internal exception message exposure for login action ### Impact Exception messages from internal exceptions (like database exception) are wrapped by `\Symfony\Component\Security\Core\Exception\AuthenticationServiceException` and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds The `src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig` file should be overridden and lines https://github.com/Sylius/Sylius/blob/1.4/src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig#L13-L17 should be replaced with ```twig {% if last_error %} <div class="ui left aligned basic segment"> {{ messages.error(last_error.messageKey) }} </div> {% endif %} ``` The `messageKey` field should be used instead of the `message`.

How to fix CVE-2019-16768

To remediate CVE-2019-16768, upgrade the affected package to a fixed version below.

• —upgrade to 1.3.14 or later

Is CVE-2019-16768 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.3.14

CVSS scores

References (4)

• ADVISORYgithub.com/advisories/GHSA-3r8j-pmch-5j2h
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16768
• WEBgithub.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f
• WEBgithub.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h