CVE 2016-2403
Symfony before 2.8.6 and 3.x before 3.0.6 allows remote attackers to bypass authentication by logging in with an empty password and valid username, which triggers an unauthenticated bind.
See the 
CVE page on Mitre.org
for more details.
