Lucene search

GoogleOSV:CVE-2019-18887

HistoryNov 21, 2019 - 11:15 p.m.

CVE-2019-18887

2019-11-2123:15:13

Google

osv.dev

AI Score

7.9

Confidence

High

EPSS

0.009

Percentile

82.4%

JSON

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.

References

github.com/symfony/symfony/releases/tag/v4.3.8

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/

symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner

symfony.com/blog/symfony-4-3-8-released