Symfony Remote Code Access Vulnerabilities

Summary

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.

Credit:

Details

Vulnerable Systems:
 * Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7

Immune Systems:
 * Symfony 2.3.x after 2.3.35, 2.6.x after 2.6.12, and 2.7.x after 2.7.7

Several potential remote timing attack vulnerabilities were discovered in classes from the Symfony Security component and in the legacy CSRF implementation from the Symfony Form component.

CVE Information:
CVE-2015-8125

Disclosure Timeline:
Original release date: 12/07/2015
Last revised: 12/08/2015

Categories: News