CVE-2022-24895

Summary

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

Affected Software

VendorProductVersion RangeStatus
symfonysymfony>= 2.0.0, < 4.4.50affected
symfonysymfony>= 5.0.0, < 5.4.20affected
symfonysymfony>= 6.0.0, < 6.0.20affected
symfonysymfony>= 6.1.0, < 6.1.12affected
symfonysymfony>= 6.2.0, < 6.2.6affected

Weaknesses

  • CWE-384: CWE-384: Session Fixation

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References