8000 Symfony Vulnerable to Timing Attack · CVE-2015-8125 · GitHub Advisory Database · GitHub
[go: up one dir, main page]
Skip to content

Symfony Vulnerable to Timing Attack

High severity GitHub Reviewed Published May 17, 2022 to the GitHub Advisory Database • Updated Feb 5, 2024

Package

composer symfony/form (Composer)

Affected versions

>= 2.3.0, < 2.3.35
>= 2.4.0, < 2.6.12
>= 2.7.0, < 2.7.7

Patched versions

2.3.35
2.6.12
2.7.7
composer symfony/security (Composer)
>= 2.3.0, < 2.3.35
>= 2.4.0, < 2.6.12
>= 2.7.0, < 2.7.7
2.3.35
2.6.12
2.7.7
composer symfony/security-http (Composer)
>= 2.4.0, < 2.6.12
>= 2.7.0, < 2.7.7
2.6.12
2.7.7
composer symfony/symfony (Composer)
>= 2.3.0, < 2.3.35
>= 2.7.0, < 2.7.7
>= 2.4.0, < 2.6.12
2.3.35
2.7.7
2.6.12

Description

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.

References

Published by the National Vulnerability Database Dec 7, 2015
Published to the GitHub Advisory Database May 17, 2022
Reviewed Aug 3, 2023
Last updated Feb 5, 2024

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(76th percentile)

Weaknesses

Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. Learn more on MITRE.

CVE ID

CVE-2015-8125

GHSA ID

GHSA-g97c-jfx6-xvxh

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.
0