CVE-2018-11386
MEDIUM5.9EPSS 1.1%Symfony DoS
發布日:2022/5/14修改日:2026/5/27
描述
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
受影響套件(3)
- Debian/symfonyfrom 0, < 3.4.12+dfsg-1
- Packagist/symfony/http-foundation>= 2.7.0, < 2.7.48
- Packagist/symfony/symfony>= 2.7.0, < 2.7.48
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
參考連結(11)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2018-11386
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2018-11386
- PATCHhttps://github.com/symfony/symfony
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-foundation/CVE-2018-11386.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11386.yaml
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH
- WEBhttps://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
- WEBhttps://symfony.com/cve-2018-11386
- WEBhttps://www.debian.org/security/2018/dsa-4262