CVE-2019-18887
HIGHSymfony 2.8.0-2.8.50, 3.4.0-3.4.34, 4.2.0-4.2.11, 4.3.0-4.3.7 - Timing Attack in UriSigner
Title source: llmDescription
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
References (6)
Core 6
Core References
Release Notes x_refsource_confirm
https://symfony.com/blog/symfony-4-3-8-released
Release Notes x_refsource_confirm
https://github.com/symfony/symfony/releases/tag/v4.3.8
Vendor Advisory x_refsource_confirm
https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
Scores
CVSS v3
8.1
EPSS
0.0134
EPSS Percentile
67.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-203
Status
published
Products (5)
fedoraproject/fedora
30
fedoraproject/fedora
31
sensiolabs/symfony
2.8.0 - 2.8.50
symfony/http-kernel
2.2.0 - 2.8.52Packagist
symfony/symfony
2.2.0 - 2.8.52Packagist
Published
Nov 21, 2019
Tracked Since
Feb 18, 2026