CVE-2018-11386

NameCVE-2018-11386
DescriptionAn issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)jessie (security), jessie2.3.21+dfsg-4+deb8u3vulnerable
stretch2.8.7+dfsg-1.3vulnerable
buster, sid3.4.6+dfsg-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysource(unstable)(unfixed)

Notes

https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler

Search for package or bug name: Reporting problems