CVE-2018-11386 — Insufficient Session Expiration in Symfony
Severity
5.9MEDIUMNVD
EPSS
1.1%
top 22.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 13
Latest updateMay 14
Description
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
CVSS vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6
Affected Packages4 packages
Also affects: Debian Linux 9.0
🔴Vulnerability Details
4📋Vendor Advisories
1Debian▶
CVE-2018-11386: symfony - An issue was discovered in the HttpFoundation component in Symfony 2.7.x before ...↗2018
💬Community
6Bugzilla▶
CVE-2017-16652 CVE-2018-11385 CVE-2018-11386 CVE-2018-11406 CVE-2018-11407 CVE-2018-11408 php-symfony4: php-symfony: Multiple flaws [fedora-all]↗2018-06-15
Bugzilla▶
CVE-2017-16652 CVE-2018-11385 CVE-2018-11386 CVE-2018-11406 CVE-2018-11407 CVE-2018-11408 php-symfony-symfony: php-symfony: Multiple flaws [epel-6]↗2018-06-15
Bugzilla▶
CVE-2017-16652 CVE-2018-11385 CVE-2018-11386 CVE-2018-11406 CVE-2018-11407 CVE-2018-11408 php-symfony3: php-symfony: Multiple flaws [fedora-all]↗2018-06-15
Bugzilla▶
CVE-2017-16652 CVE-2018-11385 CVE-2018-11386 CVE-2018-11406 CVE-2018-11407 CVE-2018-11408 php-symfony: Multiple flaws↗2018-06-14
Bugzilla▶
CVE-2017-16652 CVE-2018-11385 CVE-2018-11386 CVE-2018-11406 CVE-2018-11407 CVE-2018-11408 php-symfony: Multiple flaws [fedora-all]↗2018-06-14