CVE-2016-4423 — Security vulnerability

CWE-3999 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.4%

top 19.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Security Symfony Security-http +2 more

Timeline

PublishedJun 1

Latest updateMay 17

Description

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

▶Packagistsymfony/security-http2.3.0 — 2.3.41+3

▶Packagistsymfony/security2.3.0 — 2.3.41+3

▶Packagistsymfony/symfony2.3.0 — 2.3.41+3

▶Debiansymfony/symfony< 2.8.6+dfsg-1+3

▶NVDsensiolabs/symfony2.3.40+25

Also affects: Debian Linux 8.0

🔴Vulnerability Details

OSV

Symphony Denial of Service Via Overlong Usernames↗2022-05-17

▶

GHSA

Symphony Denial of Service Via Overlong Usernames↗2022-05-17

▶

OSV

CVE-2016-4423: The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener↗2016-06-01

▶

CVEList

CVE-2016-4423: The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener↗2016-06-01

▶

📋Vendor Advisories

Debian

CVE-2016-4423: symfony - The attemptAuthentication function in Component/Security/Http/Firewall/UsernameP...↗2016

▶

💬Community

Bugzilla

CVE-2016-4423 php-symfony: Large username storage in session↗2016-05-30

▶

Bugzilla

CVE-2016-4423 php-symfony: Large username storage in session [epel-all]↗2016-05-30

▶

Bugzilla

CVE-2016-4423 php-symfony: Large username storage in session [fedora-all]↗2016-05-30

▶