CVE-2018-11386
Symfony DoS
5.9
MEDIUM
CVSS 3.1
EPSS 1.1%
Description
An issue was discovered in the HttpFoundation component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.
How to fix CVE-2018-11386
To remediate CVE-2018-11386, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.12+dfsg-1 or later
- —upgrade to 2.7.48 or later
- —upgrade to 2.7.48 or later
Is CVE-2018-11386 being exploited?
Low — EPSS is 1.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 3.4.12+dfsg-1
- >= 2.7.0, < 2.7.48
- >= 2.7.0, < 2.7.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |