CVE-2017-11365: Empty passwords validation issue
Symfony 2.7.30, 2.7.31, 2.8.23, 2.8.24, 3.2.10, 3.2.11, 3.3.3, and 3.3.4 versions of the Symfony Security component are affected by this security issue.
The issue has been fixed in Symfony 2.7.32, 2.8.25, 3.2.12, and 3.3.5.
After the "fix", validating a user password with a
but with no
NotBlank constraint would pass without any error as previously
(the empty password would not be compared with the user password). You should
always be explicit and add a
NotBlank constraint, but as it worked before
without, we considered it as a BC break and a security issue.
The fix re-adds the error message when submitting an empty password.
The patch for this issue is available here.