CVE-2018-11386 : An issue was discovered in the HttpFoundation component in Symfony 2.7.x before

An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

Published 2018-06-13 16:29:01

Updated 2019-03-29 16:22:48

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2018-11386

Debian » Debian Linux » Version: 9.0
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 2.7.0 and before (<) 2.7.48
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 2.8.0 and before (<) 2.8.41
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 4.0.0 and before (<) 4.0.11
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 3.3.0 and before (<) 3.3.17
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions
Sensiolabs » Symfony
Versions from including (>=) 3.4.0 and before (<) 3.4.11
cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2018-11386

EPSS FAQ

1.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 77 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2018-11386

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2018-11386

CWE-613 Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Assigned by: nvd@nist.gov (Primary)

References for CVE-2018-11386

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/

[SECURITY] Fedora 28 Update: php-symfony3-3.4.11-1.fc28 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/

[SECURITY] Fedora 28 Update: php-symfony-2.8.41-1.fc28 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/

[SECURITY] Fedora 28 Update: php-symfony4-4.0.11-1.fc28 - package-announce - Fedora Mailing-Lists
Third Party Advisory

CVEs referencing this url
https://www.debian.org/security/2018/dsa-4262

Debian -- Security Information -- DSA-4262-1 symfony
Third Party Advisory

CVEs referencing this url
https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler

CVE-2018-11386: Denial of service when using PDOSessionHandler (Symfony Blog)
Vendor Advisory

Jump to

Vulnerability Details : CVE-2018-11386

Products affected by CVE-2018-11386

Exploit prediction scoring system (EPSS) score for CVE-2018-11386

CVSS scores for CVE-2018-11386

CWE ids for CVE-2018-11386

References for CVE-2018-11386