Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24895

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

Published

2023-02-03T22:15:11.273

Last Modified

2025-02-13T17:15:38.940

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.3 (MEDIUM)

Weaknesses

Type: Secondary
CWE-384
Type: Primary
CWE-613

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	sensiolabs	symfony	< 4.4.50	Yes
Application	sensiolabs	symfony	< 5.4.20	Yes
Application	sensiolabs	symfony	< 6.0.20	Yes
Application	sensiolabs	symfony	< 6.1.12	Yes
Application	sensiolabs	symfony	< 6.2.6	Yes

References

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml Issue Tracking ([email protected])
https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946 Patch ([email protected])
https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4 Patch ([email protected])
https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m Patch, Third Party Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html ([email protected])
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml Issue Tracking (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html (af854a3a-2127-422b-91ae-364da2661108)