Fluid Attacks Database

Description

Symfony Denial of Service Via Long Password Hashing The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	symfony/polyfill	>=1.0.0 <1.10.0	1.10.0
packagist	symfony/symfony	>=2.0.0 <2.0.25 \|\| >=2.1.0 <2.1.13 \|\| >=2.2.0 <2.2.9 \|\| >=2.3.0 <2.3.6	2.0.25, 2.1.13, 2.2.9, 2.3.6
packagist	symfony/security	>=2.0.0 <2.0.25 \|\| >=2.1.0 <2.1.13 \|\| >=2.2.0 <2.2.9 \|\| >=2.3.0 <2.3.6	2.0.25, 2.1.13, 2.2.9, 2.3.6
packagist	symfony/polyfill-php55	>=1.0.0 <1.10.0	1.10.0

Aliases

1. CVE-2013-59582. NVD-2013-59583. OSV-2013-59584. GCVE-2013-5958

References

1. https://github.com/symfony/symfony/issues/115222. https://github.com/symfony/polyfill/pull/1553. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/polyfill/CVE-2013-5958.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2013-5958.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2013-5958.yaml6. https://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released7. http://symfony.com/blog/security-releases-cve-2013-5958-symfony-2-0-25-2-1-13-2-2-9-and-2-3-6-released

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.