VulnerableCode Package Details - pkg:composer/symfony/http-kernel@2.3.27

Search for packages

Vulnerability	Summary	Fixed by
VCID-guzg-x6nu-pygu Aliases: CVE-2019-18887 GHSA-q8hg-pf8v-cxrv	Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.	2.8.52 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 3.4.35 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.2.12 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 4.3.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-rgh3-ef8t-k3ec Aliases: CVE-2022-24894 GHSA-h7vf-5wrv-9fhv GMS-2023-209 GMS-2023-212	Duplicate This advisory duplicates another.	4.4.50 Affected by 0 other vulnerabilities. 5.0.0-BETA1 Affected by 0 other vulnerabilities. 5.4.20 Affected by 0 other vulnerabilities. 6.0.0-BETA1 Affected by 0 other vulnerabilities. 6.0.20 Affected by 0 other vulnerabilities. 6.1.0-BETA1 Affected by 0 other vulnerabilities. 6.1.12 Affected by 0 other vulnerabilities. 6.2.0-BETA1 Affected by 0 other vulnerabilities. 6.2.6 Affected by 0 other vulnerabilities.
VCID-up7g-6ewp-uya5 Aliases: CVE-2015-4050 GHSA-qmqw-mpqp-mr54	Improper Access Control FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`.	2.3.29 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.5.0 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.5.12 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.6.8 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-guzg-x6nu-pygu
Aliases:
CVE-2019-18887
GHSA-q8hg-pf8v-cxrv

Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

2.8.52
Affected by 2 other vulnerabilities.

3.4.35
Affected by 2 other vulnerabilities.

4.2.12
Affected by 2 other vulnerabilities.

4.3.8
Affected by 2 other vulnerabilities.

VCID-rgh3-ef8t-k3ec
Aliases:
CVE-2022-24894
GHSA-h7vf-5wrv-9fhv
GMS-2023-209
GMS-2023-212

Duplicate This advisory duplicates another.

4.4.50
Affected by 0 other vulnerabilities.

5.0.0-BETA1
Affected by 0 other vulnerabilities.

5.4.20
Affected by 0 other vulnerabilities.

6.0.0-BETA1
Affected by 0 other vulnerabilities.

6.0.20
Affected by 0 other vulnerabilities.

6.1.0-BETA1
Affected by 0 other vulnerabilities.

6.1.12
Affected by 0 other vulnerabilities.

6.2.0-BETA1
Affected by 0 other vulnerabilities.

6.2.6
Affected by 0 other vulnerabilities.

VCID-up7g-6ewp-uya5
Aliases:
CVE-2015-4050
GHSA-qmqw-mpqp-mr54

Improper Access Control FragmentListener in the HttpKernel component in Symfony, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`.

2.3.29
Affected by 2 other vulnerabilities.

2.5.0
Affected by 4 other vulnerabilities.

2.5.12
Affected by 2 other vulnerabilities.

2.6.8
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-d1kp-7aht-9qa2	Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.	CVE-2015-2308 GHSA-5c58-w9xc-qcj9

Vulnerability

Summary

Aliases

VCID-d1kp-7aht-9qa2

Esi Code Injection Applications with ESI support (and SSI support as of Symfony ) enabled and using the Symfony built-in reverse proxy (the `Symfony\Component\HttpKernel\HttpCache` class) are vulnerable to PHP code injection; a malicious user can inject PHP code that will be executed by the server.

CVE-2015-2308
GHSA-5c58-w9xc-qcj9

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-11T23:38:56.947598+00:00	GitLab Importer	Affected by	VCID-rgh3-ef8t-k3ec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/GMS-2023-209.yml	38.3.0
2026-04-11T22:10:06.454496+00:00	GitLab Importer	Affected by	VCID-guzg-x6nu-pygu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2019-18887.yml	38.3.0
2026-04-11T21:42:56.111578+00:00	GitLab Importer	Fixing	VCID-d1kp-7aht-9qa2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-2308.yml	38.3.0
2026-04-11T21:42:52.994418+00:00	GitLab Importer	Affected by	VCID-up7g-6ewp-uya5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-4050.yml	38.3.0
2026-04-04T14:31:29.967733+00:00	GHSA Importer	Fixing	VCID-d1kp-7aht-9qa2	https://github.com/advisories/GHSA-5c58-w9xc-qcj9	38.1.0
2026-04-02T23:43:10.860997+00:00	GitLab Importer	Affected by	VCID-rgh3-ef8t-k3ec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/GMS-2023-209.yml	38.1.0
2026-04-02T22:22:42.415696+00:00	GitLab Importer	Affected by	VCID-guzg-x6nu-pygu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2019-18887.yml	38.1.0
2026-04-02T21:57:05.461454+00:00	GitLab Importer	Fixing	VCID-d1kp-7aht-9qa2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-2308.yml	38.1.0
2026-04-02T21:57:02.290071+00:00	GitLab Importer	Affected by	VCID-up7g-6ewp-uya5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-4050.yml	38.1.0
2026-04-01T18:06:01.323659+00:00	GitLab Importer	Affected by	VCID-rgh3-ef8t-k3ec	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/GMS-2023-209.yml	38.0.0
2026-04-01T16:40:28.890261+00:00	GitLab Importer	Affected by	VCID-guzg-x6nu-pygu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2019-18887.yml	38.0.0
2026-04-01T16:14:13.528909+00:00	GitLab Importer	Affected by	VCID-up7g-6ewp-uya5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-4050.yml	38.0.0
2026-04-01T13:10:32.473553+00:00	GithubOSV Importer	Fixing	VCID-d1kp-7aht-9qa2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5c58-w9xc-qcj9/GHSA-5c58-w9xc-qcj9.json	38.0.0
2026-04-01T12:46:57.639374+00:00	GitLab Importer	Fixing	VCID-d1kp-7aht-9qa2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-2308.yml	38.0.0