CVE-2019-18887

moderate-risk
Published 2019-11-21

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. The UriSigner was subject to timing attacks. This is related to symfony/http-kernel.

Do I need to act?

-
0.81% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (3)

Affected Vendors

Fedoraproject Sensiolabs

References (12)

Release Notes https://github.com/symfony/symfony/releases/tag/v4.3.8
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Vendor Advisory https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigne...
Release Notes https://symfony.com/blog/symfony-4-3-8-released
Release Notes https://github.com/symfony/symfony/releases/tag/v4.3.8
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Vendor Advisory https://symfony.com/blog/cve-2019-18887-use-constant-time-comparison-in-urisigne...
Release Notes https://symfony.com/blog/symfony-4-3-8-released
36
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 3/34 · Minimal
Exposure 9/34 · Low