PT-2016-4915 · Sensiolabs · Symfony

Fabpot

Published

2016-05-29

Updated

2022-05-17

CVE-2016-1902

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 2.3.37 Symfony versions 2.6.x prior to 2.6.13 Symfony versions 2.7.x prior to 2.7.9

Description The issue concerns the generation of random numbers by the nextBytes function in the SecureRandom class. When used with PHP 5.x and without the paragonie/random compat library, the function does not work correctly if the openssl random pseudo bytes function fails. This makes it easier for attackers to bypass cryptographic protection mechanisms.

Recommendations For Symfony versions prior to 2.3.37, update to version 2.3.37 or later. For Symfony versions 2.6.x prior to 2.6.13, update to version 2.6.13 or later. For Symfony versions 2.7.x prior to 2.7.9, update to version 2.7.9 or later.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-310CWE-332

Related Identifiers

CVE-2016-1902

DSA-3588-1

GHSA-JJX5-FQ5G-8XPC

Affected Products

Symfony

PT-2016-4915 · Sensiolabs · Symfony

CVE-2016-1902

Weakness Enumeration

Related Identifiers

Affected Products

References · 23