CVE-2018-11386
MEDIUMSymfony HttpFoundation 2.7.0-2.7.47 - Denial of Service via PDOSessionHandler
Title source: llmDescription
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
References (5)
Core 5
Core References
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/
Vendor Advisory x_refsource_confirm
https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2018/dsa-4262
Scores
CVSS v3
5.9
EPSS
0.0161
EPSS Percentile
72.7%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-613
Status
published
Products (4)
debian/debian_linux
9.0
sensiolabs/symfony
2.7.0 - 2.7.48
symfony/http-foundation
2.7.0 - 2.7.48Packagist
symfony/symfony
2.7.0 - 2.7.48Packagist
Published
Jun 13, 2018
Tracked Since
Feb 18, 2026