Published: 21/11/2019 Updated: 07/11/2023

CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6

CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

VMScore: 605

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

An issue exists in Symfony 2.8.0 up to and including 2.8.50, 3.4.0 up to and including 3.4.34, 4.2.0 up to and including 4.2.11, and 4.3.0 up to and including 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.

Vulnerable Product	Search on Vulmon	Subscribe to Product
sensiolabs symfony
fedoraproject fedora 30
fedoraproject fedora 31

Multiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization For the oldstable distribution (stretch), these problems have been fixed in version 287+dfsg-13+deb9u3 For the stable distribution (buster), these problems have be ...

CWE-203 https://github.com/symfony/symfony/releases/tag/v4.3.8 https://symfony.com/blog/symfony-4-3-8-released https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/https://nvd.nist.gov https://www.debian.org/security/2019/dsa-4573

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2019-18887

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect