Описание
Symfony Http-Kernel has non-constant time comparison in UriSigner
When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-18887
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2019-18887.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18887.yaml
- https://github.com/symfony/symfony/releases/tag/v4.3.8
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
- https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
- https://symfony.com/blog/symfony-4-3-8-released
- https://symfony.com/cve-2019-18887
Пакеты
symfony/http-kernel
>= 2.2.0, < 2.8.52
2.8.52
symfony/http-kernel
>= 3.0.0, < 3.4.35
3.4.35
symfony/http-kernel
>= 4.0.0, < 4.2.12
4.2.12
symfony/http-kernel
>= 4.3.0, < 4.3.8
4.3.8
symfony/symfony
>= 2.2.0, < 2.8.52
2.8.52
symfony/symfony
>= 3.0.0, < 3.4.35
3.4.35
symfony/symfony
>= 4.0.0, < 4.2.12
4.2.12
symfony/symfony
>= 4.3.0, < 4.3.8
4.3.8
Связанные уязвимости
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through ...
Уязвимость программной платформы для разработки и управления веб-приложениями Symfony, связанная с одновременным выполнением и использованием общего ресурса с неправильной синхронизацией, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании