CVE-2013-5750

The login form in the FriendsOfSymfony FOSUserBundle bundle before 1.3.3 for Symfony allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation.

Published Bycve@mitre.org

Published DateSep 25, 2013, 10:31

Affected Versions(2)

friendsofsymfony/user-bundle(Packagist)

Introduced1.2.0

Fixed1.2.5

LimitN/A

friendsofsymfony/user-bundle(Packagist)

Introduced1.3.0

Fixed1.3.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
friendsofsymfony/user-bundle(Packagist)	1.2.0	1.2.5	N/A
friendsofsymfony/user-bundle(Packagist)	1.3.0	1.3.3	N/A

Weakness Type (CWE):CWE-399

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

PARTIAL

References

http://symfony.com/blog/cve-2013-5750-security-issue-in-fosuserbundle-login-form

Weakness Type (CWE):CWE-399

CVSS Metrics

Base Score

Vector String

AV:N/AC:L/Au:N/C:N/I:N/A:P

Base Severity

Version

2.0

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

NONE

Integrity (I)

NONE

Availability (A)

PARTIAL