CVE-2019-18887

Name of the Vulnerable Software and Affected Versions Symfony versions 2.8.0 through 2.8.50 Symfony versions 3.4.0 through 3.4.34 Symfony versions 4.2.0 through 4.2.11 Symfony versions 4.3.0 through 4.3.7

Description The issue is related to the UriSigner in Symfony, which is subject to timing attacks due to the lack of a constant time string comparison function when checking the signature of an URI. This could allow a remote attacker to access confidential data, compromise its integrity, and cause a denial of service. The vulnerability is related to concurrent execution and the use of a shared resource with improper synchronization.

Recommendations For Symfony versions 2.8.0 through 2.8.50, update to a version that includes a fix for the UriSigner timing attack issue. For Symfony versions 3.4.0 through 3.4.34, update to a version that includes a fix for the UriSigner timing attack issue. For Symfony versions 4.2.0 through 4.2.11, update to a version that includes a fix for the UriSigner timing attack issue. For Symfony versions 4.3.0 through 4.3.7, update to a version that includes a fix for the UriSigner timing attack issue.