CVE Vulnerabilities

CVE-2016-4423

Published: Jun 01, 2016 | Modified: Jun 03, 2016
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

Affected Software

Name Vendor Start Version End Version
Symfony Sensiolabs 2.7.5 2.7.5
Symfony Sensiolabs 3.0.5 3.0.5
Symfony Sensiolabs 2.7.4 2.7.4
Symfony Sensiolabs 2.7.7 2.7.7
Symfony Sensiolabs 3.0.2 3.0.2
Symfony Sensiolabs 2.7.1 2.7.1
Symfony Sensiolabs 2.7.8 2.7.8
Symfony Sensiolabs 2.8.0 2.8.0
Symfony Sensiolabs 2.8.4 2.8.4
Symfony Sensiolabs 2.7.10 2.7.10
Symfony Sensiolabs 2.8.3 2.8.3
Symfony Sensiolabs 3.0.1 3.0.1
Symfony Sensiolabs 2.7.0 2.7.0
Symfony Sensiolabs 2.7.3 2.7.3
Symfony Sensiolabs 2.8.1 2.8.1
Symfony Sensiolabs 3.0.0 3.0.0
Symfony Sensiolabs 2.7.2 2.7.2
Symfony Sensiolabs 2.8.5 2.8.5
Symfony Sensiolabs 3.0.3 3.0.3
Symfony Sensiolabs 2.7.11 2.7.11
Symfony Sensiolabs 3.0.4 3.0.4
Symfony Sensiolabs 2.7.6 2.7.6
Symfony Sensiolabs * 2.3.40
Symfony Sensiolabs 2.8.2 2.8.2
Symfony Sensiolabs 2.7.12 2.7.12
Symfony Sensiolabs 2.7.9 2.7.9

References