CVE-2016-4423: CVE-2016-4423: Large username storage in session

June 1, 2016 (updated June 3, 2016)

The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.

References

symfony.com/cve-2016-4423

Code Behaviors & Features

Detect and mitigate CVE-2016-4423 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →