CVE-2022-24895

MEDIUM

Sensiolabs Symfony < 4.4.50 - CSRF

Title source: rule

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

References (5)

[Patch, Third Party Advisory] https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m

[Patch] https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946

View Patch ZIP pw:eip

[Patch] https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4

View Patch ZIP pw:eip

[Issue Tracking] https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml

View Writeup ZIP pw:eip

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html

Scores

CVSS v3 6.3

EPSS 0.0002

EPSS Percentile 5.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-613 CWE-384

Status published

Products (3)

sensiolabs/symfony 2.0.0 - 4.4.50

symfony/security-bundle 2.0.0 - 4.4.50Packagist

symfony/symfony 2.0.0 - 4.4.50Packagist

Published Feb 03, 2023

Tracked Since Feb 18, 2026