PT-2018-3148 · Symfony · Symfony
Chris Wilkinson
·
Publicado
2018-05-25
·
Atualizado
2022-05-14
·
CVE-2018-11385
CVSS v3.1
8.1
Alta
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Symfony versions 2.7.x through 2.7.47
Symfony versions 2.8.x through 2.8.40
Symfony versions 3.3.x through 3.3.16
Symfony versions 3.4.x through 3.4.10
Symfony versions 4.0.x through 4.0.10
Description
The issue is related to session management errors in the Security component of the Symfony platform. It may allow a remote attacker to elevate their privileges. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.
Recommendations
For Symfony versions 2.7.x through 2.7.47, update to version 2.7.48 or later.
For Symfony versions 2.8.x through 2.8.40, update to version 2.8.41 or later.
For Symfony versions 3.3.x through 3.3.16, update to version 3.3.17 or later.
For Symfony versions 3.4.x through 3.4.10, update to version 3.4.11 or later.
For Symfony versions 4.0.x through 4.0.10, update to version 4.0.11 or later.
Exploit
Correção
Session Fixation
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Symfony