Vulnerabilities > CVE-2019-18887 - Information Exposure Through Discrepancy vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
sensiolabs
fedoraproject
CWE-203
nessus
NVD
Published: 2019-11-21
Updated: 2023-11-07

Summary

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.

Vulnerable Configurations

Part Description Count
Application
Sensiolabs
81
OS
Fedoraproject
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-5AE4FD9203.NASL
    description**Version 2.8.52** (2019-11-13) - security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) - security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id131198
    published2019-11-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131198
    titleFedora 31 : php-symfony (2019-5ae4fd9203)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-9C2AD3B018.NASL
    description**Version 2.8.52** (2019-11-13) - security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) - security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id131204
    published2019-11-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131204
    titleFedora 30 : php-symfony (2019-9c2ad3b018)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1999.NASL
    descriptionMultiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id131138
    published2019-11-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131138
    titleDebian DLA-1999-1 : symfony security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-8B0BA02338.NASL
    description**Version 3.4.35** (2019-11-13) - bug #34344 [Console] Constant STDOUT might be undefined (nicolas-grekas) - security #cve-2019-18889 [Cache] forbid serializing AbstractAdapter and TagAwareAdapter instances (nicolas-grekas) - security #cve-2019-18888 [HttpFoundation] fix guessing mime-types of files with leading dash (nicolas-grekas) - security #cve-2019-18887 [HttpKernel] Use constant time comparison in UriSigner (stof) ---- **Version 3.4.34** (2019-11-11) - bug #34297 [DI] fix locators with numeric keys (nicolas-grekas) - bug #34282 [DI] Dont cache classes with missing parents (nicolas-grekas) - bug #34181 [Stopwatch] Fixed bug in getDuration when counting multiple ongoing periods (TimoBakx) - bug #34179 [Stopwatch] Fixed a bug in StopwatchEvent::getStartTime (TimoBakx) - bug #34203 [FrameworkBundle] [HttpKernel] fixed correct EOL and EOM month (erics86) ---- **Version 3.4.33** (2019-11-01) - bug #33998 [Config] Disable default alphabet sorting in glob function due of unstable sort (hurricane-voronin) - bug #34144 [Serializer] Improve messages for unexpected resources values (fancyweb) - bug #34080 [SecurityBundle] correct types for default arguments for firewall configs (shieldo) - bug #33999 [Form] Make sure to collect child forms created on *_SET_DATA events (yceruto) - bug #34021 [TwigBridge] do not render errors for checkboxes twice (xabbuh) - bug #34041 [HttpKernel] fix wrong removal of the just generated container dir (nicolas-grekas) - bug #34023 [Dotenv] allow LF in single-quoted strings (nicolas-grekas) - bug #33818 [Yaml] Throw exception for tagged invalid inline elements (gharlan) - bug #33948 [PropertyInfo] Respect property name case when guessing from public method name (antograssiot) - bug #33962 [Cache] fixed TagAwareAdapter returning invalid cache (v-m-i) - bug #33965 [HttpFoundation] Add plus character `+` to legal mime subtype (ilzrv) - bug #32943 [Dotenv] search variable values in ENV first then env file (soufianZantar) - bug #33943 [VarDumper] fix resetting the
    last seen2020-06-01
    modified2020-06-02
    plugin id131202
    published2019-11-22
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131202
    titleFedora 31 : php-symfony3 (2019-8b0ba02338)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4573.NASL
    descriptionMultiple vulnerabilities have been found in the Symfony PHP framework which could lead to a timing attack/information leak, argument injection and code execution via unserialization.
    last seen2020-06-01
    modified2020-06-02
    plugin id131141
    published2019-11-20
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131141
    titleDebian DSA-4573-1 : symfony - security update

References