Lucene search

K
osvGoogleOSV:DSA-3402-1
HistoryNov 24, 2015 - 12:00 a.m.

symfony - security update

2015-11-2400:00:00
Google
osv.dev
3

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.2%

Several vulnerabilities have been discovered in symfony, a framework to
create websites and web applications. The Common Vulnerabilities and
Exposures project identifies the following problems:

  • CVE-2015-8124
    The RedTeam Pentesting GmbH team discovered a session fixation
    vulnerability within the Remember Me login feature, allowing an
    attacker to impersonate the victim towards the web application if
    the session id value was previously known to the attacker.
  • CVE-2015-8125
    Several potential remote timing attack vulnerabilities were
    discovered in classes from the Symfony Security component and in the
    legacy CSRF implementation from the Symfony Form component.

For the stable distribution (jessie), these problems have been fixed in
version 2.3.21+dfsg-4+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 2.7.7+dfsg-1.

We recommend that you upgrade your symfony packages.

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.2%