Timing Attack

Affecting symfony/symfony package, versions >=2.8.0, <2.8.52 || >=3.4.0, <3.4.35 || >=4.2.0, <4.2.12 || >=4.3.0, <4.3.8

Do your applications use this vulnerable package? Test your applications

Overview

symfony/symfony is a PHP framework for web applications and a set of reusable PHP components.

Affected versions of this package are vulnerable to Timing Attack. When checking the signature of an URI (an ESI fragment URL for instance), the URISigner does not use a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

Remediation

Upgrade symfony/symfony to version 2.8.52, 3.4.35, 4.2.12, 4.3.8 or higher.

References

CVSS Score

4.2
medium severity
  • Attack Vector
    Adjacent
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    Low
  • Availability
    None
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Credit
Unknown
CVE
CVE-2019-18887
CWE
CWE-362
Snyk ID
SNYK-PHP-SYMFONYSYMFONY-535350
Disclosed
21 Nov, 2019
Published
22 Nov, 2019