Cryptographic issues in Debian Linux and Symfony - CVE-2016-1902
Published: June 1, 2016 / Updated: August 9, 2020
Vulnerability identifier: #VU40254
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2016-1902
CWE-ID: CWE-310
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Debian
SensioLabs
SensioLabs
Affected software:
Debian Linux
Symfony
Debian Linux
Symfony
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.
How to mitigate CVE-2016-1902
Install update from vendor's website.