CVE-2022-24895

MEDIUM

Symfony 2.0.0-4.4.49 - Insufficient Session Expiration via CSRF Token Preservation

Title source: llm

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

References (5)

Core 5

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m

Patch x_refsource_misc

https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946

View Patch ZIP pw:eip

Patch x_refsource_misc

https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4

View Patch ZIP pw:eip

Issue Tracking x_refsource_misc

https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml

View Writeup ZIP pw:eip

Mailing List

https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html

Scores

CVSS v3 6.3

EPSS 0.0079

EPSS Percentile 51.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613 CWE-384

Status published

Products (3)

sensiolabs/symfony 2.0.0 - 4.4.50

symfony/security-bundle 2.0.0 - 4.4.50Packagist

symfony/symfony 2.0.0 - 4.4.50Packagist

Published Feb 03, 2023

Tracked Since Feb 18, 2026