Fluid Attacks Database

Description

FriendsOfSymfony FOSUserBundle denial of service via login form The login form in the FriendsOfSymfony FOSUserBundle bundle before 1.3.3 for Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	friendsofsymfony/user-bundle	>=1.2.0 <1.2.5 \|\| >=1.3.0 <1.3.3	1.2.5, 1.3.3

Aliases

1. CVE-2013-57502. NVD-2013-57503. OSV-2013-57504. GCVE-2013-5750

References

1. https://github.com/FriendsOfPHP/security-advisories/blob/master/friendsofsymfony/user-bundle/CVE-2013-5750.yaml2. https://symfony.com/cve-2013-57503. http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.