websafe-kb/07-framework-security/frameworks/symfony/cases/symfony-cve-2021-21424.md

title, system_id, category, advisory_mode, published_date, updated_date, severity, exploit_status, source_confidence, verification_status, verification_mode, artifact_mode, last_run_id, target_types, allow_public_validation, authorization_prerequisite, minimal_validation, aliases, affected_versions, fixed_versions, secure_code_topics, primary_source

title	system_id	category	advisory_mode	published_date	updated_date	severity	exploit_status	source_confidence	verification_status	verification_mode	artifact_mode	last_run_id	target_types	allow_public_validation	authorization_prerequisite	minimal_validation	aliases	affected_versions	fixed_versions	secure_code_topics	primary_source
Prevent user enumeration using Guard or the new Authenticator-based Security	symfony	frameworks	core	2021-05-13T20:23:02Z	2026-03-13T22:16:14.858636Z	low	unknown	official	triage-manual	synthetic	synthetic		lab-local lab-public authorized-third-party	yes, with ownership or explicit authorization	asset ownership proof or explicit written authorization	read-only probe, controlled payload, reversible test	BIT-symfony-2021-21424 CVE-2021-21424 GHSA-5pv8-ppvj-4h68	v2.8.0 v2.8.1 v2.8.10 v2.8.11 v2.8.12 v2.8.13 v2.8.14 v2.8.15 v2.8.16 v2.8.17 v2.8.18 v2.8.19 v2.8.2 v2.8.20 v2.8.21 v2.8.22 v2.8.23 v2.8.24 v2.8.25 v2.8.26	5.2.8 3.4.48 4.4.23 2.10.7 2.11.3 1.29.2 1.31.1 3.4.49 4.4.24 5.2.9	xss-output-encoding authz-server-side-recheck path-traversal-guard	https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68

Prevent user enumeration using Guard or the new Authenticator-based Security

本地实证状态

• 实证状态: triage-manual
• 实证方式: synthetic
• Artifact 模式: synthetic
• 最近运行: -
• 浏览器证据: missing
• Run Bundle: -

事件层

• Canonical ID: symfony--CVE-2021-21424
• 系统: symfony
• 严重度: low
• 来源置信度: official
• 官方主源: https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68
• 影响版本: v2.8.0, v2.8.1, v2.8.10, v2.8.11, v2.8.12, v2.8.13, v2.8.14, v2.8.15, v2.8.16, v2.8.17
• 修复版本: 5.2.8, 3.4.48, 4.4.23, 2.10.7, 2.11.3, 1.29.2, 1.31.1, 3.4.49, 4.4.24, 5.2.9

其他来源

• https://nvd.nist.gov/vuln/detail/CVE-2021-21424
• 2a581d22cc
• https://symfony.com/cve-2021-21424
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4
• https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
• https://github.com/symfony/symfony
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-21424.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2021-21424.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2021-21424.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-guard/CVE-2021-21424.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/maker-bundle/CVE-2021-21424.yaml
• https://github.com/FriendsOfPHP/security-advisories/blob/master/lexik/jwt-authentication-bundle/CVE-2021-21424.yaml

实验层

• 仅用于自有资产、测试环境或已明确授权目标。
• 允许公网可达目标，但必须满足资产归属或明确授权前提。
• 最小化验证方式: 最小化验证、只读探测、可审计回显、受控注入。
• 若该案例涉及插件、模块或扩展，应同时检查供应链与升级策略。
• 禁止场景: 无归属证明或无明确授权的公网目标；知名公共网站或与测试无关的第三方资产；会造成持久破坏、数据越权下载或不可回滚影响的动作

修复示例

• javascript-typescript:xss-output-encoding
• nodejs:xss-output-encoding
• java:xss-output-encoding
• php:xss-output-encoding
• python:xss-output-encoding
• ruby:xss-output-encoding
• csharp:xss-output-encoding
• go:xss-output-encoding
• javascript-typescript:authz-server-side-recheck
• nodejs:authz-server-side-recheck
• java:authz-server-side-recheck
• php:authz-server-side-recheck
• python:authz-server-side-recheck
• ruby:authz-server-side-recheck
• csharp:authz-server-side-recheck
• go:authz-server-side-recheck
• javascript-typescript:path-traversal-guard
• nodejs:path-traversal-guard
• java:path-traversal-guard
• php:path-traversal-guard
• python:path-traversal-guard
• ruby:path-traversal-guard
• csharp:path-traversal-guard
• go:path-traversal-guard