CVE-2022-24895

Symfony vulnerable to Session Fixation of CSRF tokens

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

References

Link	Tags
https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m	third party advisory patch
https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946	patch
https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4	patch
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml	issue tracking
https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html

Frequently Asked Questions

What is the severity of CVE-2022-24895?: CVE-2022-24895 has been scored as a medium severity vulnerability.
How to fix CVE-2022-24895?: To fix CVE-2022-24895, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-24895 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-24895 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-24895?: CVE-2022-24895 affects symfony symfony.

Description

Categories

CWE-384 – Session Fixation

CWE-613 – Insufficient Session Expiration

References

Frequently Asked Questions