CVE-2018-11386

Name of the Vulnerable Software and Affected Versions Symfony versions 2.7.x through 2.7.47 Symfony versions 2.8.x through 2.8.40 Symfony versions 3.3.x through 3.3.16 Symfony versions 3.4.x through 3.4.10 Symfony versions 4.0.x through 4.0.10

Description The issue is related to the HttpFoundation component in Symfony, specifically the PDOSessionHandler class, which allows storing sessions on a PDO connection. Under certain configurations and with a well-crafted payload, it is possible to cause a denial of service on a Symfony application without significant resources. The vulnerability can be exploited by a remote attacker to cause a denial of service.

Recommendations For Symfony versions 2.7.x through 2.7.47, update to version 2.7.48 or later. For Symfony versions 2.8.x through 2.8.40, update to version 2.8.41 or later. For Symfony versions 3.3.x through 3.3.16, update to version 3.3.17 or later. For Symfony versions 3.4.x through 3.4.10, update to version 3.4.11 or later. For Symfony versions 4.0.x through 4.0.10, update to version 4.0.11 or later.