5

CVSS Score

Basic Information

CVE ID

CVE-2013-5958

GHSA ID

GHSA-cr49-fx2v-9p57

EPSS Score

0.63804%

CWE

CWE-789

Published

5/17/2022

Updated

4/25/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-5958

CVE-2013-5958: Symfony Denial of Service Via Long Password Hashing

The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a similar issue to CVE-2013-5750.

(GitHub Advisory)

5

CVSS Score

Basic Information

CVE ID

CVE-2013-5958

GHSA ID

GHSA-cr49-fx2v-9p57

EPSS Score

0.63804%

CWE

CWE-789

Published

5/17/2022

Updated

4/25/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.0.0, < 2.0.25	2.0.25
symfony/symfony	composer	>= 2.1.0, < 2.1.13	2.1.13
symfony/symfony	composer	>= 2.2.0, < 2.2.9	2.2.9
symfony/symfony	composer	>= 2.3.0, < 2.3.6	2.3.6
symfony/polyfill	composer	>= 1.0.0, < 1.10.0	1.10.0
symfony/security	composer	>= 2.0.0, < 2.0.25	2.0.25
symfony/security	composer	>= 2.1.0, < 2.1.13	2.1.13
symfony/security	composer	>= 2.2.0, < 2.2.9	2.2.9
symfony/security	composer	>= 2.3.0, < 2.3.6	2.3.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from password handling functions not limiting input size before resource-intensive hashing operations. The Security component's encoder interface and its implementations (like Pbkdf2PasswordEncoder) were directly responsible for processing passwords. Patches added length checks in encodePassword() and isPasswordValid(), confirming these as the vulnerable entry points. The CVE description and Symfony's advisory explicitly mention these methods' role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** S**urity *ompon*nt in Sym*ony *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** (*PU *onsumption) vi* * lon* p*sswor* t**t tri***rs *n *xp*nsiv* **s* *omput*t

Reasoning

T** vuln*r**ility st*mm** *rom p*sswor* **n*lin* *un*tions not limitin* input siz* ***or* r*sour**-int*nsiv* **s*in* op*r*tions. T** S**urity *ompon*nt's *n*o**r int*r**** *n* its impl*m*nt*tions (lik* `P*k***P*sswor**n*o**r`) w*r* *ir**tly r*sponsi*

5

Basic Information

Concerned about an active attack path?

CVE-2013-5958: Symfony Denial of Service Via Long Password Hashing

5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI