Sebastiaan Stok

**Name of the Vulnerable Software and Affected Versions** Symfony versions 2.3.x through 2.3.34 Symfony versions 2.6.x through 2.6.11 Symfony versions 2.7.x through 2.7.6 **Description** The issue could allow remote attackers to have an unspecified impact through a timing attack involving the classes (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component. **Recommendations** For Symfony 2.3.x, update to version 2.3.35 or later. For Symfony 2.6.x, update to version 2.6.12 or later. For Symfony 2.7.x, update to version 2.7.7 or later. As a temporary workaround, consider restricting access to the `Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices` and `Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener` classes, as well as the legacy CSRF implementation from the `Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider` class, until a patch is available.