GHSA-g97c-jfx6-xvxh

Source

https://github.com/advisories/GHSA-g97c-jfx6-xvxh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-g97c-jfx6-xvxh/GHSA-g97c-jfx6-xvxh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g97c-jfx6-xvxh

Aliases

CVE-2015-8125

Published

2022-05-17T03:25:24Z

Modified

2024-11-30T05:38:39.146840Z

Summary

Symfony Vulnerable to Timing Attack

Details

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.

Database specific

{
    "nvd_published_at": "2015-12-07T20:59:00Z",
    "cwe_ids": [
        "CWE-208"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-03T21:48:26Z"
}

References

Affected packages

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.35

Affected versions

v2.*

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.15

v2.3.16

v2.3.17

v2.3.18

v2.3.19

v2.3.20

v2.3.21

v2.3.22

v2.3.23

v2.3.24

v2.3.25

v2.3.26

v2.3.27

v2.3.28

v2.3.29

v2.3.30

v2.3.31

v2.3.32

v2.3.33

v2.3.34

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.7

Affected versions

v2.*

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

Packagist / symfony/form

Package

Name: symfony/form
Purl: pkg:composer/symfony/form

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.35

Affected versions

v2.*

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.15

v2.3.16

v2.3.17

v2.3.18

v2.3.19

v2.3.20

v2.3.21

v2.3.22

v2.3.23

v2.3.24

v2.3.25

v2.3.26

v2.3.27

v2.3.28

v2.3.29

v2.3.30

v2.3.31

v2.3.32

v2.3.33

v2.3.34

Packagist / symfony/form

Package

Name: symfony/form
Purl: pkg:composer/symfony/form

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.6.12

Affected versions

v2.*

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4.10

v2.5.0-BETA1

v2.5.0-BETA2

v2.5.0-RC1

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.5.10

v2.5.11

v2.5.12

v2.6.0-BETA1

v2.6.0-BETA2

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.6.10

v2.6.11

Packagist / symfony/form

Package

Name: symfony/form
Purl: pkg:composer/symfony/form

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.7

Affected versions

v2.*

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony/security-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.6.12

Affected versions

v2.*

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4.10

v2.5.0-BETA1

v2.5.0-BETA2

v2.5.0-RC1

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.5.10

v2.5.11

v2.5.12

v2.6.0-BETA1

v2.6.0-BETA2

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.6.10

v2.6.11

Packagist / symfony/security-http

Package

Name: symfony/security-http
Purl: pkg:composer/symfony/security-http

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.7

Affected versions

v2.*

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

Packagist / symfony/security

Package

Name: symfony/security
Purl: pkg:composer/symfony/security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.3.0

Fixed

2.3.35

Affected versions

v2.*

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.15

v2.3.16

v2.3.17

v2.3.18

v2.3.19

v2.3.20

v2.3.21

v2.3.22

v2.3.23

v2.3.24

v2.3.25

v2.3.26

v2.3.27

v2.3.28

v2.3.29

v2.3.30

v2.3.31

v2.3.32

v2.3.33

v2.3.34

Packagist / symfony/security

Package

Name: symfony/security
Purl: pkg:composer/symfony/security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.6.12

Affected versions

v2.*

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4.10

v2.5.0-BETA1

v2.5.0-BETA2

v2.5.0-RC1

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.5.10

v2.5.11

v2.5.12

v2.6.0-BETA1

v2.6.0-BETA2

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.6.10

v2.6.11

Packagist / symfony/security

Package

Name: symfony/security
Purl: pkg:composer/symfony/security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0

Fixed

2.7.7

Affected versions

v2.*

v2.7.0

v2.7.1

v2.7.2

v2.7.3

v2.7.4

v2.7.5

v2.7.6

Packagist / symfony/symfony

Package

Name: symfony/symfony
Purl: pkg:composer/symfony/symfony

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.4.0

Fixed

2.6.12

Affected versions

v2.*

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

v2.4.10

v2.5.0-BETA1

v2.5.0-BETA2

v2.5.0-RC1

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.5.10

v2.5.11

v2.5.12

v2.6.0-BETA1

v2.6.0-BETA2

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.6.10

v2.6.11