Web application abuses : Symfony 2.8.0 <= 2.8.51, 3.4.0 <= 3.4.34, 4.2.0 <= 4.2.11 and 4.3.0 <= 4.3.7 Multiple Vulnerabilities

Anfälligkeitssuche		Suche in 324607 CVE Beschreibungen und 145615 Test Beschreibungen, Zugriff auf 10,000+ Quellverweise.
	Tests CVE Alle

Test Kennung: 1.3.6.1.4.1.25623.1.0.112670

Kategorie: Web application abuses

Titel: Symfony 2.8.0 <= 2.8.51, 3.4.0 <= 3.4.34, 4.2.0 <= 4.2.11 and 4.3.0 <= 4.3.7 Multiple Vulnerabilities

Zusammenfassung: Symfony is prone to multiple vulnerabilities.

Beschreibung: Summary:
Symfony is prone to multiple vulnerabilities.

Vulnerability Insight:
The following vulnerabilities exist:

- When checking the signature of an URI (an ESI fragment URL for instance),
the URISigner did not used a constant time string comparison function,
resulting in a potential remote timing attack vulnerability.

- Provided file paths were not being properly escaped before being used in
the FileBinaryMimeTypeGuesser resulting in potential argument injection through the provided $path variable.

Affected Software/OS:
Symfony versions 2.8.0 to 2.8.51, 3.4.0 to 3.4.34, 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7.

Solution:
The issue has been fixed in Symfony 2.8.52, 3.4.35, 4.2.12 and 4.3.8.

NOTE: Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, 4.0 and 4.1 as they are not maintained anymore.
This will be the last Symfony 2.8 security fix as it enters EOL. Please upgrade to a more recent version of Symfony to continue receiving updates.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Querverweis: Common Vulnerability Exposure (CVE) ID: CVE-2019-18887
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/
Common Vulnerability Exposure (CVE) ID: CVE-2019-18888

Copyright Copyright (C) 2019 Greenbone Networks GmbH

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.
Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.

Test Kennung:	1.3.6.1.4.1.25623.1.0.112670
Kategorie:	Web application abuses
Titel:	Symfony 2.8.0 <= 2.8.51, 3.4.0 <= 3.4.34, 4.2.0 <= 4.2.11 and 4.3.0 <= 4.3.7 Multiple Vulnerabilities
Zusammenfassung:	Symfony is prone to multiple vulnerabilities.
Beschreibung:	Summary: Symfony is prone to multiple vulnerabilities. Vulnerability Insight: The following vulnerabilities exist: - When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability. - Provided file paths were not being properly escaped before being used in the FileBinaryMimeTypeGuesser resulting in potential argument injection through the provided $path variable. Affected Software/OS: Symfony versions 2.8.0 to 2.8.51, 3.4.0 to 3.4.34, 4.2.0 to 4.2.11 and 4.3.0 to 4.3.7. Solution: The issue has been fixed in Symfony 2.8.52, 3.4.35, 4.2.12 and 4.3.8. NOTE: Note that no fixes are provided for Symfony 3.0, 3.1, 3.2, 3.3, 4.0 and 4.1 as they are not maintained anymore. This will be the last Symfony 2.8 security fix as it enters EOL. Please upgrade to a more recent version of Symfony to continue receiving updates. CVSS Score: 6.8 CVSS Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2019-18887 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VXEAOEANNIVYANTMOJ42NKSU6BGNBULZ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UED22BOXTL2SSFMGYKA64ZFHGLLJG3EA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZNXRVHDQBNZQUCNRVZICPPBFRAUWUJX/ Common Vulnerability Exposure (CVE) ID: CVE-2019-18888
Copyright	Copyright (C) 2019 Greenbone Networks GmbH