Timing Attack Affecting symfony/security-http package, versions >=2.6.0, <2.6.12 >=2.4.0, <2.5.0 >=2.7.0, <2.7.7 >=2.5.0, <2.6.0


0.0
high

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 1.06% (84th percentile)
Expand this section
NVD
7.3 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-SYMFONYSECURITYHTTP-70196
  • published 23 Nov 2015
  • disclosed 23 Nov 2015
  • credit Sebastiaan Stok

How to fix?

Upgrade symfony/security-http to version 2.6.12, 2.5.0, 2.7.7, 2.6.0 or higher.

Overview

Affected versions of symfony/security-http are vulnerable to Timing Attack.

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving:

  • Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or
  • Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or
  • legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.