Incorrect Comparison in Symfony - CVE-2019-18887
Published: November 19, 2019 / Updated: November 19, 2019
Vulnerability identifier: #VU22851
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2019-18887
CWE-ID: CWE-697
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SensioLabs
Affected software:
Symfony
Symfony
Detailed vulnerability description
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists within the HttpKernel component in Symfony when checking the signature of an URI (an ESI fragment URL for
instance) due to the URISigner does not use a constant time string comparison
function. A remote attacker can perform a timing attack and gain access to sensitive functionality.
How to mitigate CVE-2019-18887
Install updates from vendor's website.