Allele Security Alert
Add a separator in the remember me cookie hash
Symfony 2.7.0 to 2.7.50
Symfony 2.8.0 to 2.8.49
Symfony 3.4.0 to 3.4.25
Symfony 4.1.0 to 4.1.11
Symfony 4.2.0 to 4.2.6
Proof of concept
This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).
CVE-2019-10911: Add a separator in the remember me cookie hash
Drupal core – Moderately critical – Multiple Vulnerabilities – SA-CORE-2019-005
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 27, 2019