CVE-2015-8125 — Observable Timing Discrepancy in Form

CWE-208 — Observable Timing Discrepancy9 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Form Symfony Security +2 more

Timeline

PublishedDec 7

Latest updateMay 17

Description

Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfon…

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages6 packages

▶Packagistsymfony/security-http2.4.0 — 2.6.12+1

▶Packagistsymfony/security2.3.0 — 2.3.35+2

▶Packagistsymfony/form2.3.0 — 2.3.35+2

▶Packagistsymfony/symfony2.3.0 — 2.3.35+2

▶Debiansymfony/symfony< 2.7.7+dfsg-1+3

Patches

Patch: symfony.com ↗Patch: symfony.com ↗

🔴Vulnerability Details

OSV

Symfony Vulnerable to Timing Attack↗2022-05-17

▶

GHSA

Symfony Vulnerable to Timing Attack↗2022-05-17

▶

CVEList

CVE-2015-8125: Symfony 2↗2015-12-07

▶

OSV

CVE-2015-8125: Symfony 2↗2015-12-07

▶

📋Vendor Advisories

Debian

CVE-2015-8125: symfony - Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might a...↗2015

▶

💬Community

Bugzilla

CVE-2015-8124 CVE-2015-8125 php-symfony: Session fixation and remote timing attack vulnerabilities [fedora-all]↗2015-11-25

▶

Bugzilla

CVE-2015-8124 CVE-2015-8125 php-symfony: Session fixation and remote timing attack vulnerabilities↗2015-11-25

▶

Bugzilla

CVE-2015-8124 CVE-2015-8125 php-symfony: Session fixation and remote timing attack vulnerabilities [epel-all]↗2015-11-25

▶