Back to search
CVE-2016-4423
Published: Jun 1, 2016
Modified: Aug 6, 2024
PUBLISHED
Description
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session
x_refsource_CONFIRM
https://github.com/symfony/symfony/pull/18733
x_refsource_CONFIRM
DSA-3588
vendor-advisory
x_refsource_DEBIAN
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now