Описание
Symfony DoS
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2018-11386
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH
- https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
- https://symfony.com/cve-2018-11386
- https://www.debian.org/security/2018/dsa-4262
Пакеты
symfony/symfony
>= 2.7.0, < 2.7.48
2.7.48
symfony/symfony
>= 2.8.0, < 2.8.41
2.8.41
symfony/symfony
>= 3.3.0, < 3.3.17
3.3.17
symfony/symfony
>= 3.4.0, < 3.4.11
3.4.11
symfony/symfony
>= 4.0.0, < 4.0.11
4.0.11
symfony/http-foundation
>= 2.7.0, < 2.7.48
2.7.48
symfony/http-foundation
>= 2.8.0, < 2.8.41
2.8.41
symfony/http-foundation
>= 3.3.0, < 3.3.17
3.3.17
symfony/http-foundation
>= 3.4.0, < 3.4.11
3.4.11
symfony/http-foundation
>= 4.0.0, < 4.0.11
4.0.11
Связанные уязвимости
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
An issue was discovered in the HttpFoundation component in Symfony 2.7 ...
Уязвимость компонента HttpFoundation программной платформы для разработки и управления веб-приложениями Symfony, позволяющая нарушителю вызвать отказ в обслуживании