CVE-2018-11386

NameCVE-2018-11386
DescriptionAn issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4262-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)jessie (security), jessie2.3.21+dfsg-4+deb8u3fixed
stretch (security), stretch2.8.7+dfsg-1.3+deb9u1fixed
buster3.4.19+dfsg-1fixed
sid3.4.20+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysource(unstable)3.4.12+dfsg-1medium
symfonysourcejessie(not affected)
symfonysourcestretch2.8.7+dfsg-1.3+deb9u1mediumDSA-4262-1

Notes

[jessie] - symfony <not-affected> (vulnerable code no present, no rollback mechanism in this version)
https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler

Search for package or bug name: Reporting problems