CVE-2022-24894

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 4.4

Description The Symfony HTTP cache system acts as a reverse proxy, caching entire responses, including headers, and returning them to clients. A recent change in the AbstractSessionListener may cause the response to contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this response might be stored and returned to other clients, allowing an attacker to retrieve the victim's session.

Recommendations For versions prior to 4.4, update to branch 4.4 to resolve the issue. As a temporary workaround, consider disabling the AbstractSessionListener or restricting access to the Symfony HTTP cache system until the patch is applied. The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers, with the default value being Set-Cookie, which can be overridden or extended by the application.