7.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2016-4423

CVE-2016-4423: Symphony Denial of Service Via Overlong Usernames

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2016-4423

CVE-2016-4423:

7.5

CVSS Score

3.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/security-http	composer	>= 2.3.0, < 2.3.41	2.3.41
symfony/security-http	composer	>= 2.4.0, < 2.7.13	2.7.13
symfony/security-http	composer	>= 2.8.0, < 2.8.6	2.8.6
symfony/security-http	composer	>= 3.0.0, < 3.0.6	3.0.6
symfony/security	composer	>= 2.3.0, < 2.3.41	2.3.41
symfony/security	composer	>= 2.4.0, < 2.7.13	2.7.13
symfony/security	composer	>= 2.8.0, < 2.8.6	2.8.6
symfony/security	composer	>= 3.0.0, < 3.0.6	3.0.6
symfony/symfony	composer	>= 2.3.0, < 2.3.41	2.3.41
symfony/symfony	composer	>= 2.4.0, < 2.7.13	2.7.13
symfony/symfony	composer	>= 2.8.0, < 2.8.6	2.8.6
symfony/symfony	composer	>= 3.0.0, < 3.0.6	3.0.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly identifies the attemptAuthentication function in UsernamePasswordFormAuthenticationListener.php as the source of the issue. Multiple authoritative sources (Symfony security advisory, CVE description, GitHub advisory) confirm this function's role in storing unchecked username values in sessions. The subsequent patch in Symfony's repository modifies this exact function to add length validation, corroborating its vulnerability status. The clear correlation between the vulnerability description, affected component, and patched code location provides high confidence in this assessment.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2016-4423: Symphony Denial of Service Via Overlong Usernames

CVE-2016-4423:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.5

7.5

CVE-2016-4423: Symphony Denial of Service Via Overlong Usernames

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI