The Security Check Report lists v2.6.13 as vulnerable, but it is not listed above.
Output from our travis:
symfony/symfony (v2.6.13)
-------------------------
* CVE-2016-4423: CVE-2016-4423: Large username storage in session
http://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
This checker can only detect vulnerabilities that are referenced Disclaimer in the SensioLabs security advisories database. Execute this command regularly to check the newly discovered vulnerabilities.
CVE-2016-4423: Large username storage in session
May 9, 2016
Fabien Potencier
Affected Versions¶
Symfony 2.3.0 to 2.3.40, 2.7.0 to 2.7.12, 2.8.0 to 2.8.5, and 3.0.0 to 3.0.5
versions of the Security component are affected by this security issue when
using the username/password form authentication listener (and its simpler
version SimpleFormAuthenticationListener).
This issue has been fixed in Symfony 2.3.41, 2.7.13, 2.8.6, and 3.0.6.
Note that no fixes are provided for Symfony 2.4, 2.5, and 2.6 as they are not maintained anymore.
Description¶
When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.
If you have found a security issue in Symfony, please send the
details to security [at] symfony.com and don't
disclose it publicly until we can provide a fix for it.
Comments
All 2.6 versions are vulnerable as stated in the blog post above. 2.6 is not maintained anymore and so, it does not receive security issue patches. You should upgrade.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
Thomas Schulz said on May 10, 2016 at 07:18 #1