CVE-2018-11386 – symfony/http-foundation

Package

Manager: composer
Name: symfony/http-foundation
Vulnerable Version: >=2.7.0 <2.7.48 || >=2.8.0 <2.8.41 || >=3.3.0 <3.3.17 || >=3.4.0 <3.4.11 || >=4.0.0 <4.0.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.01086 pctl0.77062

Details

Symfony DoS An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

Metadata

Created: 2022-05-14T01:14:36Z
Modified: 2023-10-06T17:48:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r2rq-3h56-fqm4/GHSA-r2rq-3h56-fqm4.json
CWE IDs: ["CWE-613"]
Alternative ID: GHSA-r2rq-3h56-fqm4
Finding: F280
Auto approve: 1