Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.
| Version | Base score | Base severity | Vector |
|---|
| Hyperlink | Resource Type |
|---|
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.
| Type | CWE ID | Description |
|---|---|---|
| text | N/A | n/a |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html | vendor-advisory x_refsource_FEDORA |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html | vendor-advisory x_refsource_FEDORA |
| http://www.debian.org/security/2015/dsa-3402 | vendor-advisory x_refsource_DEBIAN |
| https://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/77692 | vdb-entry x_refsource_BID |
| Version | Base score | Base severity | Vector |
|---|
| CAPEC ID | Description |
|---|
| Event | Date |
|---|
| Hyperlink | Resource |
|---|---|
| http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html | vendor-advisory x_refsource_FEDORA x_transferred |
| http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html | vendor-advisory x_refsource_FEDORA x_transferred |
| http://www.debian.org/security/2015/dsa-3402 | vendor-advisory x_refsource_DEBIAN x_transferred |
| https://symfony.com/blog/cve-2015-8125-potential-remote-timing-attack-vulnerability-in-security-remember-me-service | x_refsource_CONFIRM x_transferred |
| http://www.securityfocus.com/bid/77692 | vdb-entry x_refsource_BID x_transferred |
Symfony 2.3.x before 2.3.35, 2.6.x before 2.6.12, and 2.7.x before 2.7.7 might allow remote attackers to have unspecified impact via a timing attack involving the (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener class in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.
| Date Added | Due Date | Vulnerability Name | Required Action |
|---|---|---|---|
| N/A |
| Type | Version | Base score | Base severity | Vector |
|---|---|---|---|---|
| Primary | 2.0 | 7.5 | HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
| CWE ID | Type | Source |
|---|---|---|
| NVD-CWE-noinfo | Primary | nvd@nist.gov |