CVE-2022-24895

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 4.4

Description The issue is related to incorrect session management in Symfony, a PHP framework for web and console applications. When authenticating users, Symfony by default regenerates the session ID upon login but preserves the rest of session attributes, including CSRF tokens. This might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

Recommendations For versions prior to 4.4, update to version 4.4 or later, which includes the fix for this issue. As a temporary workaround, consider manually clearing CSRF tokens from the session on successful login to prevent potential exploitation.

Exploit

Fix

Session Fixation

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-384CWE-613

Related Identifiers

BDU:2023-01057

BIT-SYMFONY-2022-24895

CVE-2022-24895

DLA-3493-1

GHSA-3GV2-29QC-V67M

USN-7272-1

Affected Products

Astra Linux

Linuxmint

Red Os

Symfony

Ubuntu

CVE-2022-24895

Weakness Enumeration

Related Identifiers

Affected Products

References · 38