Insufficient Session Expiration in Symfony - CVE-2018-11386
Published: June 13, 2018 / Updated: July 17, 2020
Vulnerability identifier: #VU31282
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2018-11386
CWE-ID: CWE-613
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SensioLabs
Affected software:
Symfony
Symfony
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
How to mitigate CVE-2018-11386
Install update from vendor's website.
Sources
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
- https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
- https://www.debian.org/security/2018/dsa-4262