Denial of Service Vulnerability in Symfony Framework Components
CVE-2016-4423

7.5HIGH

Key Information:

Vendor
Sensiolabs
Status
Symfony
Vendor
CVE Published:
1 June 2016

Summary

The attemptAuthentication function in the Symfony framework fails to restrict the length of usernames stored in user sessions. This oversight enables remote attackers to exploit the system by making repeated authentication attempts using overly long, non-existent usernames. Such activity can lead to excessive consumption of session storage resources, potentially resulting in a denial of service scenario where legitimate users are denied access.

References

https://symfony.com/blog/cve-2016-4423-large-username-sto...
x_refsource_CONFIRM
https://github.com/symfony/symfony/pull/18733
x_refsource_CONFIRM
http://www.debian.org/security/2016/dsa-3588
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2016-4423 : Denial of Service Vulnerability in Symfony Framework Components | SecurityVulnerability.io