GHSA-whgv-8cg3-7hcm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-whgv-8cg3-7hcm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-whgv-8cg3-7hcm/GHSA-whgv-8cg3-7hcm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-whgv-8cg3-7hcm
- Aliases
- Published
- 2022-05-17T03:54:47Z
- Modified
- 2024-12-08T05:43:41.795128Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- Symphony Denial of Service Via Overlong Usernames
- Details
-
The attemptAuthentication function in
Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.phpin Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. - Database specific
{ "nvd_published_at": "2016-06-01T22:59:00Z", "cwe_ids": [], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-04-25T22:08:02Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-4423
- https://github.com/symfony/symfony/pull/18733
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2016-4423.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2016-4423.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2016-4423.yaml
- https://github.com/symfony/symfony
- https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
- https://symfony.com/cve-2016-4423
- http://www.debian.org/security/2016/dsa-3588
Affected packages
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Affected versions
v2.*
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.5.0-BETA1
v2.5.0-BETA2
v2.5.0-RC1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.5.10
v2.5.11
v2.5.12
v2.6.0-BETA1
v2.6.0-BETA2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.7.0-BETA1
v2.7.0-BETA2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Affected versions
v2.*
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.40
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Affected versions
v2.*
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.5.0-BETA1
v2.5.0-BETA2
v2.5.0-RC1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.5.10
v2.5.11
v2.5.12
v2.6.0-BETA1
v2.6.0-BETA2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.7.0-BETA1
v2.7.0-BETA2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Affected versions
v2.*
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.3.8
v2.3.9
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.17
v2.3.18
v2.3.19
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.40
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Affected versions
v2.*
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.5.0-BETA1
v2.5.0-BETA2
v2.5.0-RC1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.5.10
v2.5.11
v2.5.12
v2.6.0-BETA1
v2.6.0-BETA2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
v2.6.12
v2.6.13
v2.7.0-BETA1
v2.7.0-BETA2
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.7.10
v2.7.11
v2.7.12
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony