CVE-2018-11386

MEDIUM5.9EPSS 1.1%

Symfony DoS

Published: 5/14/2022Modified: 5/27/2026

Also known as:GHSA-r2rq-3h56-fqm4DEBIAN-CVE-2018-11386

Description

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

Affected packages (3)

Debian/symfonyfrom 0, < 3.4.12+dfsg-1
Packagist/symfony/http-foundation>= 2.7.0, < 2.7.48
Packagist/symfony/symfony>= 2.7.0, < 2.7.48

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References (11)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-11386
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-11386
PATCHhttps://github.com/symfony/symfony
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH
WEBhttps://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
WEBhttps://symfony.com/cve-2018-11386
WEBhttps://www.debian.org/security/2018/dsa-4262