Lucene search
Veracode Vulnerability DatabaseVERACODE:21971HistoryNov 18, 2019 - 4:13 a.m.
Timing Attack
2019-11-1804:13:13
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
23
EPSS
0.009
Percentile
82.4%
symfony/symfony is vulnerable to timing attack. When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, allowing a remote attacker to guess the URI by analyzing the server response time.
References
github.com/symfony/symfony/releases/tag/v4.3.8
lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/
lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/
symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
symfony.com/blog/symfony-4-3-8-released
Related
ubuntucve
ubuntucve
CVE-2019-18887
2019-11-21 00:00:00
friendsofphp
friendsofphp
CVE-2019-18887: Use constant time comparison in UriSigner
1970-01-01 00:00:00
CVE-2019-18887: Use constant time comparison in UriSigner
1970-01-01 00:00:00
symfony
symfony
CVE-2019-18887: Use constant time comparison in UriSigner
2019-11-13 00:00:00
debiancve
debiancve
CVE-2019-18887
2019-11-21 23:15:13
prion
prion
Design/Logic Flaw
2019-11-21 23:15:00
osv
osv
Symfony Http-Kernel has non-constant time comparison in UriSigner
2022-03-26 00:22:49
CVE-2019-18887
2019-11-21 23:15:13
symfony - security update
2019-11-18 00:00:00
cvelist
cvelist
CVE-2019-18887
2019-11-21 22:18:04
nvd
nvd
CVE-2019-18887
2019-11-21 23:15:13
github
github
Symfony Http-Kernel has non-constant time comparison in UriSigner
2022-03-26 00:22:49
cve
cve
CVE-2019-18887
2019-11-21 23:15:13
openvas
openvas
Symfony 2.8.0 <= 2.8.51, 3.4.0 <= 3.4.34, 4.2.0 <= 4.2.11 and 4.3.0 <= 4.3.7 Multiple Vulnerabilities
2019-11-22 00:00:00
Debian: Security Advisory (DSA-4573-1)
2019-11-20 00:00:00
Debian: Security Advisory (DLA-1999-1)
2019-11-26 00:00:00
fedora
fedora
[SECURITY] Fedora 30 Update: php-symfony-2.8.52-1.fc30
2019-11-22 01:22:56
[SECURITY] Fedora 31 Update: php-symfony-2.8.52-1.fc31
2019-11-22 00:48:09
[SECURITY] Fedora 31 Update: php-symfony3-3.4.35-2.fc31
2019-11-22 00:48:10
nessus
nessus
Fedora 31 : php-symfony (2019-5ae4fd9203)
2019-11-22 00:00:00
Fedora 30 : php-symfony (2019-9c2ad3b018)
2019-11-22 00:00:00
Debian DLA-1999-1 : symfony security update
2019-11-20 00:00:00
debian
debian
[SECURITY] [DSA 4573-1] symfony security update
2019-11-18 22:04:18
[SECURITY] [DLA 1999-1] symfony security update
2019-11-19 01:38:11