GoogleOSV:DSA-3402-1symfony - security update
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
87.2%
Several vulnerabilities have been discovered in symfony, a framework to
create websites and web applications. The Common Vulnerabilities and
Exposures project identifies the following problems:
- CVE-2015-8124
The RedTeam Pentesting GmbH team discovered a session fixation
vulnerability within the Remember Me login feature, allowing an
attacker to impersonate the victim towards the web application if
the session id value was previously known to the attacker. - CVE-2015-8125
Several potential remote timing attack vulnerabilities were
discovered in classes from the Symfony Security component and in the
legacy CSRF implementation from the Symfony Form component.
For the stable distribution (jessie), these problems have been fixed in
version 2.3.21+dfsg-4+deb8u2.
For the unstable distribution (sid), these problems have been fixed in
version 2.7.7+dfsg-1.
We recommend that you upgrade your symfony packages.
| CPE | Name | Operator | Version |
|---|---|---|---|
| symfony | eq | 2.3.21+dfsg-4 | |
| symfony | eq | 2.3.21+dfsg-4+deb8u1 |
References
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
87.2%