{"id":"CVE-2016-4423","details":"The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.","aliases":["GHSA-whgv-8cg3-7hcm"],"modified":"2026-04-16T14:50:09.448611Z","published":"2016-06-01T22:59:02.457Z","references":[{"type":"ADVISORY","url":"http://www.debian.org/security/2016/dsa-3588"},{"type":"ADVISORY","url":"https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session"},{"type":"FIX","url":"https://github.com/symfony/symfony/pull/18733"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"0"},{"last_affected":"7bcb5deb31d2ba005dcf97f731fac64e46922f95"},{"last_affected":"9975b1eca3de4db792a2c3e4e16f676a4aadcd46"},{"last_affected":"932b6e7499c670f4db6d0b871477a4a3ca161e74"},{"last_affected":"969d709ad428076bf1084e386dc26dd904d9fb84"},{"last_affected":"a9af4708b4bb650c4897e9b8dfbfbdb2ea5f0486"},{"last_affected":"1fdf23fe28876844b887b0e1935c9adda43ee645"},{"last_affected":"619528a274647cffc1792063c3ea04c4fa8266a0"},{"last_affected":"66b2e9662c44d478b69e48278aa54079a006eb42"},{"last_affected":"cc69dbd24b4b2e6de60b2414ef95da2794f459a2"},{"last_affected":"ad264021e44a5aaa132f16aef69f92e56795683e"},{"last_affected":"d3646cc6875c214d211001e0673ec9e91b5f2da7"},{"last_affected":"9a3b6bf6ebee49370aaf15abc1bdeb4b1986a67d"},{"last_affected":"66c99826ce3d4392aa1fd08564946cb4277e3897"},{"last_affected":"9edf2430f1846602844d2b434f26389a018f494f"},{"last_affected":"5615b92cd452cd54f1433a3f53de87c096a1107f"},{"last_affected":"8956ed50a44c5c4e02f2176c0773e24487477b09"},{"last_affected":"f3e6a82bcbea4db3b56df08e491e20a1faae82b5"},{"last_affected":"7a9a5fce7ce6e448e527f635463dda00761e12c2"},{"last_affected":"9e14f9f4869c19188a376eab61d9a1c1f1fee347"},{"last_affected":"39ddd2383f4113cf67f8b28cde2c9d3fa340c3c2"},{"last_affected":"eb2a4f5f7a09fc4ce7a74ae883a8cf8a279614f5"},{"last_affected":"979d7323716fec847508eac3e62d59b117612a6e"},{"last_affected":"18c3d4f356931a5b6a4afb0cc679a2c58931c795"},{"last_affected":"09ae53562ce8b7842206efa217ec81442975f055"},{"last_affected":"4e17cb2ecb3fd637097ebeb871fc0e2cbdd5e7ff"},{"last_affected":"10c83b58fbb42be516377de54962a758695ad964"},{"last_affected":"2e913a829cfbbf9cb38b321bdff1806b44b192eb"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.3.40"},{"last_affected":"2.7.0"},{"last_affected":"2.7.1"},{"last_affected":"2.7.2"},{"last_affected":"2.7.3"},{"last_affected":"2.7.4"},{"last_affected":"2.7.5"},{"last_affected":"2.7.6"},{"last_affected":"2.7.7"},{"last_affected":"2.7.8"},{"last_affected":"2.7.9"},{"last_affected":"2.7.10"},{"last_affected":"2.7.11"},{"last_affected":"2.7.12"},{"last_affected":"2.8.0"},{"last_affected":"2.8.1"},{"last_affected":"2.8.2"},{"last_affected":"2.8.3"},{"last_affected":"2.8.4"},{"last_affected":"2.8.5"},{"last_affected":"3.0.0"},{"last_affected":"3.0.1"},{"last_affected":"3.0.2"},{"last_affected":"3.0.3"},{"last_affected":"3.0.4"},{"last_affected":"3.0.5"},{"last_affected":"8.0"}],"cpe":["cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.0:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.1:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.2:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.3:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.4:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.5:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.6:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.7:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.8:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.9:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.10:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.11:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.7.12:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.0:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.1:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.2:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.3:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.4:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:2.8.5:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.1:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.2:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.3:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.4:*:*:*:*:*:*:*","cpe:2.3:a:sensiolabs:symfony:3.0.5:*:*:*:*:*:*:*","cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*"]}}],"versions":["v2.0.0","v2.0.0-RC1","v2.0.0-RC2","v2.0.0-RC3","v2.0.0-RC4","v2.0.0-RC5","v2.0.0-RC6","v2.0.0BETA1","v2.0.0BETA2","v2.0.0BETA3","v2.0.0BETA4","v2.0.0BETA5","v2.0.0PR8","v2.1.0","v2.1.0-BETA1","v2.1.0-BETA2","v2.1.0-BETA3","v2.1.0-BETA4","v2.1.0-RC1","v2.1.0-RC2","v2.2.0-BETA1","v2.2.0-BETA2","v2.3.0","v2.3.0-BETA1","v2.3.0-BETA2","v2.3.0-RC1","v2.3.1","v2.3.10","v2.3.11","v2.3.12","v2.3.13","v2.3.14","v2.3.15","v2.3.16","v2.3.17","v2.3.19","v2.3.2","v2.3.20","v2.3.21","v2.3.22","v2.3.23","v2.3.24","v2.3.25","v2.3.26","v2.3.27","v2.3.28","v2.3.29","v2.3.3","v2.3.30","v2.3.31","v2.3.32","v2.3.33","v2.3.34","v2.3.35","v2.3.36","v2.3.37","v2.3.38","v2.3.39","v2.3.4","v2.3.40","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0-BETA1","v2.4.0-BETA2","v2.5.0-BETA1","v2.5.0-BETA2","v2.6.0-BETA1","v2.7.0","v2.7.0-BETA1","v2.7.0-BETA2","v2.7.1","v2.7.10","v2.7.11","v2.7.12","v2.7.2","v2.7.3","v2.7.4","v2.7.5","v2.7.6","v2.7.7","v2.7.8","v2.7.9","v2.8.0","v2.8.0-BETA1","v2.8.1","v2.8.2","v2.8.3","v2.8.4","v2.8.5","v3.0.0","v3.0.0-BETA1","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.2.0-BETA1","v3.2.0-RC1","v3.3.0-BETA1","v4.0.0-BETA1","v4.0.0-BETA2","v4.0.0-BETA3","v4.0.0-BETA4","v4.2.0-BETA1","v4.2.0-BETA2","v4.3.0-BETA1","v5.0.0-BETA1","v5.0.0-BETA2","v5.0.0-RC1","v5.1.0-BETA1","v5.2.0-BETA1","v5.2.0-BETA2","v5.2.0-BETA3","v5.3.0-BETA1","v5.3.0-BETA2","v5.3.0-BETA3","v5.3.0-BETA4","v6.0.0-BETA1","v6.0.0-BETA2","v6.0.0-BETA3","v6.0.0-RC1","v6.1.0-BETA1","v6.1.0-BETA2","v6.1.0-RC1","v6.2.0-BETA1","v6.2.0-BETA2","v6.2.0-BETA3","v6.3.0-BETA1","v6.3.0-BETA2","v6.3.0-BETA3","v6.3.0-RC1","v7.0.0-BETA1","v7.0.0-BETA2","v7.0.0-BETA3","v7.0.0-RC1","v7.1.0-BETA1","v7.1.0-RC1","v7.2.0-BETA1","v7.2.0-BETA2","v7.2.0-RC1","v7.3.0-BETA1","v7.3.0-BETA2","v7.3.0-RC1","v8.0.0","v8.0.0-BETA1","v8.0.0-BETA2","v8.0.0-RC1","v8.0.0-RC2","v8.0.0-RC3","vPR3","vPR4","vPR5","vPR6","vPR8","vPR9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2016-4423.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}