Timing Attack

Affecting symfony/http-kernel package, versions >=2.8.0, <2.8.52 || >=3.4.0, <3.4.35 || >=4.2.0, <4.2.12 || >=4.3.0, <4.3.8

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

symfony/http-kernel is a Symfony component that provides a structured process for converting a Request into a Response.

Affected versions of this package are vulnerable to Timing Attack. When checking the signature of an URI (an ESI fragment URL for instance), the URISigner does not use a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

Remediation

Upgrade symfony/http-kernel to version 2.8.52, 3.4.35, 4.2.12, 4.3.8 or higher.

References

CVSS Score

4.2
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Unknown
CVE
CVE-2019-18887
CWE
CWE-362
Snyk ID
SNYK-PHP-SYMFONYHTTPKERNEL-535377
Disclosed
21 Nov, 2019
Published
22 Nov, 2019