CVE-2016-4423

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 2.3.41 Symfony versions 2.7.x prior to 2.7.13 Symfony versions 2.8.x prior to 2.8.6 Symfony versions 3.0.x prior to 3.0.6

Description The issue is related to the attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php, which does not limit the length of a username stored in a session. This allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

Recommendations For Symfony versions prior to 2.3.41, update to version 2.3.41 or later. For Symfony versions 2.7.x prior to 2.7.13, update to version 2.7.13 or later. For Symfony versions 2.8.x prior to 2.8.6, update to version 2.8.6 or later. For Symfony versions 3.0.x prior to 3.0.6, update to version 3.0.6 or later.