#VU31282 Insufficient Session Expiration in Symfony - CVE-2018-11386
Published: June 13, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31282
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-11386
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Symfony
Symfony
Software vendor:
SensioLabs
SensioLabs
Description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
Remediation
Install update from vendor's website.
External links
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
- https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
- https://www.debian.org/security/2018/dsa-4262