CVE-2023-46733

Name of the Vulnerable Software and Affected Versions Symfony versions 5.4.21 through 5.4.30 Symfony versions 6.2.7 through 6.3.7

Description The issue is related to the incorrect management of sessions by the SessionStrategyListener function in the Symfony platform. This can allow a remote attacker to compromise the integrity of protected information. The problem arises when the user identifier does not change between the verification phase and successful login, but the token type changes from partially-authenticated to fully-authenticated. In such cases, the session ID should be regenerated to prevent possible session fixations, but this does not occur.

Recommendations For Symfony versions 5.4.21 through 5.4.30, update to version 5.4.31 or later. For Symfony versions 6.2.7 through 6.3.7, update to version 6.3.8 or later. As a temporary workaround, consider regenerating the session ID after every successful login to prevent possible session fixations.