CVE-2016-4423: Large username storage in session

June 1, 2016 (updated June 3, 2016)

When an authentication form is submitted by the user and if the user does not exist, the submitted username is stored in the session. If an attacker submit multiple requests with large usernames, he can potentially fill up the session storage.

References

symfony.com/blog/cve-2016-4423-large-username-storage-in-session
github.com/symfony/symfony/pull/18733

Detect and mitigate CVE-2016-4423 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →