CVE-2019-16768

描述

## Internal exception message exposure for login action ### Impact Exception messages from internal exceptions (like database exception) are wrapped by `\Symfony\Component\Security\Core\Exception\AuthenticationServiceException` and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation message with the exception details will be presented to the user when one will try to log into the shop. ### Patches _Has the problem been patched? What versions should users upgrade to?_ ### Workarounds The `src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig` file should be overridden and lines https://github.com/Sylius/Sylius/blob/1.4/src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig#L13-L17 should be replaced with ```twig {% if last_error %} <div class="ui left aligned basic segment"> {{ messages.error(last_error.messageKey) }} </div> {% endif %} ``` The `messageKey` field should be used instead of the `message`.

受影響套件(1)

• Packagist/sylius/syliusfrom 0, < 1.3.14

CVSS 分數

參考連結(4)

• ADVISORYhttps://github.com/advisories/GHSA-3r8j-pmch-5j2h
• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-16768
• WEBhttps://github.com/Sylius/Sylius/commit/be245302dfc594d8690fe50dd47631d186aa945f
• WEBhttps://github.com/Sylius/Sylius/security/advisories/GHSA-3r8j-pmch-5j2h