CVE-2016-4423

Published: Jun 1, 2016Modified: May 6, 2026

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

Affected (27)

Products: Sensiolabs: Symfony · Debian: Debian Linux

1 product

1 product

Configuration A

26 vulnerable

Vulnerable Software	Affected Versions
Sensiolabs Symfony	Up to 2.3.40
Sensiolabs Symfony	Version 2.7.0
Sensiolabs Symfony	Version 2.7.10
Sensiolabs Symfony	Version 2.7.11
Sensiolabs Symfony	Version 2.7.12
Sensiolabs Symfony	Version 2.7.1
Sensiolabs Symfony	Version 2.7.2
Sensiolabs Symfony	Version 2.7.3
Sensiolabs Symfony	Version 2.7.4
Sensiolabs Symfony	Version 2.7.5
Sensiolabs Symfony	Version 2.7.6
Sensiolabs Symfony	Version 2.7.7
Sensiolabs Symfony	Version 2.7.8
Sensiolabs Symfony	Version 2.7.9
Sensiolabs Symfony	Version 2.8.0
Sensiolabs Symfony	Version 2.8.1
Sensiolabs Symfony	Version 2.8.2
Sensiolabs Symfony	Version 2.8.3
Sensiolabs Symfony	Version 2.8.4
Sensiolabs Symfony	Version 2.8.5
Sensiolabs Symfony	Version 3.0.0
Sensiolabs Symfony	Version 3.0.1
Sensiolabs Symfony	Version 3.0.2
Sensiolabs Symfony	Version 3.0.3
Sensiolabs Symfony	Version 3.0.4
Sensiolabs Symfony	Version 3.0.5