CVE-2018-11386
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2018-11386
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 3.4.12+dfsg-1 |
| debian | bullseye | fixed | 3.4.12+dfsg-1 |
| debian | forky | fixed | 3.4.12+dfsg-1 |
| debian | sid | fixed | 3.4.12+dfsg-1 |
| debian | trixie | fixed | 3.4.12+dfsg-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | symfony/symfony | >=2.7.0,<2.7.48 | 2.7.48 |
| Packagist | symfony/symfony | >=2.8.0,<2.8.41 | 2.8.41 |
| Packagist | symfony/symfony | >=3.3.0,<3.3.17 | 3.3.17 |
| Packagist | symfony/symfony | >=3.4.0,<3.4.11 | 3.4.11 |
| Packagist | symfony/symfony | >=4.0.0,<4.0.11 | 4.0.11 |
| Packagist | symfony/http-foundation | >=2.7.0,<2.7.48 | 2.7.48 |
| Packagist | symfony/http-foundation | >=2.8.0,<2.8.41 | 2.8.41 |
| Packagist | symfony/http-foundation | >=3.3.0,<3.3.17 | 3.3.17 |
| Packagist | symfony/http-foundation | >=3.4.0,<3.4.11 | 3.4.11 |
| Packagist | symfony/http-foundation | >=4.0.0,<4.0.11 | 4.0.11 |
References
- https://nvd.nist.gov/vuln/detail/CVE-2018-11386
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml
- https://github.com/symfony/symfony
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH
- https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
- https://symfony.com/cve-2018-11386
- https://www.debian.org/security/2018/dsa-4262
- https://security-tracker.debian.org/tracker/CVE-2018-11386
Verify integrity in audit chain (admin only). AS-IS.