CVE-2019-18887
HIGH8.1EPSS 0.81%symfony - security update
發布日:2022/3/26修改日:2026/5/27
描述
An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.
受影響套件(4)
- Debian/symfonyfrom 0, < 4.3.8+dfsg-1
- Debian/symfonyfrom 0, < 2.8.7+dfsg-1.3+deb9u3
- Packagist/symfony/http-kernel>= 2.2.0, < 2.8.52
- Packagist/symfony/symfony>= 2.2.0, < 2.8.52
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-18887
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-18887
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2019-18887.yaml
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2019-18887.yaml
- WEBhttps://github.com/symfony/symfony/releases/tag/v4.3.8
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ
- WEBhttps://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigner
- WEBhttps://symfony.com/blog/symfony-4-3-8-released
- WEBhttps://symfony.com/cve-2019-18887