Insufficient Session Expiration

CVE-2018-11386

Medium

5.9/10

Summary

An issue was discovered in the HttpFoundation component in Symfony 2.7.0 before 2.7.48, 2.8.x before 2.8.41, 3.x.x before 3.3.17, 3.4.x before 3.4.11, 4.0.x before 4.0.11 and, 4.1.x before 4.1.0-BETA3. The PDOSessionHandler class allows storing sessions on a PDO connection. Under some configurations and with a well-crafted payload, it was possible to do a denial of service on a Symfony application without too much resources.

Attack Complexity: HIGH
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-613 - Insufficient Session Expiration

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

References

Advisory
Advisory

Advisory Timeline

Published Jun 13, 2018

Insufficient Session Expiration

CVE-2018-11386

Summary

CWE-613 - Insufficient Session Expiration

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS