CVE-2022-24894

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 4.4

Description The Symfony HTTP cache system acts as a reverse proxy, caching entire responses, including headers, and returning them to clients. A recent change in the AbstractSessionListener may cause the response to contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this response might be stored and returned to other clients, allowing an attacker to retrieve the victim's session.

Recommendations For versions prior to 4.4, update to branch 4.4 to resolve the issue. As a temporary workaround, consider disabling the AbstractSessionListener or restricting access to the Symfony HTTP cache system until the patch is applied. The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers, with the default value being Set-Cookie, which can be overridden or extended by the application.

Exploit

Fix

Improper Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285

Related Identifiers

ALT-PU-2023-6184

ALT-PU-2024-4537

ALT-PU-2024-4547

ALT-PU-2024-4961

BDU:2023-01072

BIT-SYMFONY-2022-24894

CVE-2022-24894

DLA-3493-1

GHSA-H7VF-5WRV-9FHV

USN-7272-1

Affected Products

Alt Linux

Astra Linux

Linuxmint

Red Os

Symfony

Ubuntu

CVE-2022-24894

Weakness Enumeration

Related Identifiers

Affected Products

References · 37