CVE-2019-18887:
Symfony Http-Kernel has non-constant time comparison in UriSigner
8.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.73281%
CWE
Published
3/26/2022
Updated
2/1/2024
KEV Status
No
Technology
PHP
PHPTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/http-kernel | composer | >= 2.2.0, < 2.8.52 | 2.8.52 |
| symfony/http-kernel | composer | >= 3.0.0, < 3.4.35 | 3.4.35 |
| symfony/http-kernel | composer | >= 4.0.0, < 4.2.12 | 4.2.12 |
| symfony/http-kernel | composer | >= 4.3.0, < 4.3.8 | 4.3.8 |
| symfony/symfony | composer | >= 2.2.0, < 2.8.52 | 2.8.52 |
| symfony/symfony | composer | >= 3.0.0, < 3.4.35 | 3.4.35 |
| symfony/symfony | composer | >= 4.0.0, < 4.2.12 | 4.2.12 |
| symfony/symfony | composer | >= 4.3.0, < 4.3.8 | 4.3.8 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from insecure signature comparison in UriSigner. The Symfony blog explicitly states they fixed it by implementing hash_equals(), a constant-time comparison function. The checkSignature() method is the logical location for signature validation in UriSigner, and the CVE description specifically mentions the URISigner class as the vulnerable component. The high confidence comes from: 1) Official Symfony documentation confirming the fix pattern 2) Security bulletin specificity about the affected component 3) Standard cryptographic practice that signature verification requires constant-time comparisons.