CVE-2015-8125

Name of the Vulnerable Software and Affected Versions Symfony versions 2.3.x through 2.3.34 Symfony versions 2.6.x through 2.6.11 Symfony versions 2.7.x through 2.7.6

Description The issue could allow remote attackers to have an unspecified impact through a timing attack involving the classes (1) Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices or (2) Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener in the Symfony Security Component, or (3) legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class in the Symfony Form component.

Recommendations For Symfony 2.3.x, update to version 2.3.35 or later. For Symfony 2.6.x, update to version 2.6.12 or later. For Symfony 2.7.x, update to version 2.7.7 or later. As a temporary workaround, consider restricting access to the Symfony/Component/Security/Http/RememberMe/PersistentTokenBasedRememberMeServices and Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener classes, as well as the legacy CSRF implementation from the Symfony/Component/Form/Extension/Csrf/CsrfProvider/DefaultCsrfProvider class, until a patch is available.