CVE-2019-18887

HIGH8.1EPSS 0.81%

symfony - security update

Published: 3/26/2022Modified: 5/27/2026

Description

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.

Affected packages (4)

Debian/symfonyfrom 0, < 4.3.8+dfsg-1
Debian/symfonyfrom 0, < 2.8.7+dfsg-1.3+deb9u3
Packagist/symfony/http-kernel>= 2.2.0, < 2.8.52
Packagist/symfony/symfony>= 2.2.0, < 2.8.52

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References (14)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-18887
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-18887
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2019-18887.yaml
WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18887.yaml
WEBhttps://github.com/symfony/symfony/releases/tag/v4.3.8
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
WEBhttps://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
WEBhttps://symfony.com/blog/symfony-4-3-8-released
WEBhttps://symfony.com/cve-2019-18887