VulnerableCode Package Details - pkg:composer/symfony/http-kernel@2.5.12

Search for packages

Vulnerability	Summary	Fixed by
VCID-s3ep-tgah-aud1 Aliases: CVE-2019-18887 GHSA-q8hg-pf8v-cxrv	Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.	2.8.52 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 3.4.35 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.2.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 4.3.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-s3ep-tgah-aud1
Aliases:
CVE-2019-18887
GHSA-q8hg-pf8v-cxrv

Symfony Http-Kernel has non-constant time comparison in UriSigner When checking the signature of an URI (an ESI fragment URL for instance), the URISigner did not used a constant time string comparison function, resulting in a potential remote timing attack vulnerability.

2.8.52
Affected by 1 other vulnerability.

3.4.35
Affected by 1 other vulnerability.

4.2.12
Affected by 1 other vulnerability.

4.3.8
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-5gjg-vdx2-ykar	Symfony Incorrect Access Control FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`. This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore.	CVE-2015-4050 GHSA-qmqw-mpqp-mr54

Vulnerability

Summary

Aliases

VCID-5gjg-vdx2-ykar

Symfony Incorrect Access Control FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the `_controller` attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to `/_fragment`. This issue has been fixed in Symfony 2.3.29, 2.5.12, and 2.6.8. Note that no fixes are provided for Symfony 2.4 as it's not maintained anymore.

CVE-2015-4050
GHSA-qmqw-mpqp-mr54

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T17:37:30.708117+00:00	GitLab Importer	Affected by	VCID-s3ep-tgah-aud1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2019-18887.yml	37.0.0
2025-07-03T17:13:26.940719+00:00	GitLab Importer	Fixing	VCID-5gjg-vdx2-ykar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-4050.yml	37.0.0
2025-07-01T18:10:05.829171+00:00	GitLab Importer	Fixing	VCID-5gjg-vdx2-ykar	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/packagist/symfony/http-kernel/CVE-2015-4050.yml	36.1.3
2025-07-01T12:28:58.334951+00:00	GithubOSV Importer	Fixing	VCID-5gjg-vdx2-ykar	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qmqw-mpqp-mr54/GHSA-qmqw-mpqp-mr54.json	36.1.3