7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-1902

GHSA ID

GHSA-jjx5-fq5g-8xpc

EPSS Score

0.59697%

CWE

CWE-332

Published

5/17/2022

Updated

2/8/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-1902

CVE-2016-1902: Symfony Cryptographic Vulnerability

The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors.

(GitHub Advisory)

7.5

CVSS Score

3.0

Basic Information

CVE ID

CVE-2016-1902

GHSA ID

GHSA-jjx5-fq5g-8xpc

EPSS Score

0.59697%

CWE

CWE-332

Published

5/17/2022

Updated

2/8/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/security-core	composer	>= 2.4.0, < 2.6.13	2.6.13
symfony/security-core	composer	>= 2.7.0, < 2.7.9	2.7.9
symfony/security	composer	>= 2.3.0, < 2.3.37	2.3.37
symfony/security	composer	>= 2.4.0, < 2.6.13	2.6.13
symfony/security	composer	>= 2.7.0, < 2.7.9	2.7.9
symfony/symfony	composer	>= 2.3.0, < 2.3.37	2.3.37
symfony/symfony	composer	>= 2.4.0, < 2.6.13	2.6.13
symfony/symfony	composer	>= 2.7.0, < 2.7.9	2.7.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from SecureRandom's fallback mechanism when OpenSSL fails. The advisory explicitly mentions the nextBytes function as the problematic entry point. The Symfony blog post confirms the insecure fallback to PHP's weak PRNG functions (uniqid/mt_rand) in PHP 5.x environments without random_compat. The CWE-332 mapping aligns with insufficient entropy in this PRNG implementation. The GitHub PR #17359 and associated commits show removal of custom RNG logic, confirming this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** n*xt*yt*s *un*tion in t** S**ur*R*n*om *l*ss in Sym*ony ***or* *.*.**, *.*.x ***or* *.*.**, *n* *.*.x ***or* *.*.* *o*s not prop*rly **n*r*t* r*n*om num**rs w**n us** wit* P*P *.x wit*out t** p*r**oni*/r*n*om_*omp*t li*r*ry *n* t** op*nssl_r*n*om

Reasoning

T** vuln*r**ility st*ms *rom S**ur*R*n*om's **ll***k m****nism w**n Op*nSSL **ils. T** **visory *xpli*itly m*ntions t** n*xt*yt*s *un*tion *s t** pro*l*m*ti* *ntry point. T** Sym*ony *lo* post *on*irms t** ins**ur* **ll***k to P*P's w**k PRN* *un*tio

7.5

Basic Information

Concerned about an active attack path?

CVE-2016-1902: Symfony Cryptographic Vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI