Session Fixation
CVE-2022-24895
Summary
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of the session attributes. Because this does not clear CSRF tokens upon login, this might enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to session fixation. This issue affects versions 2.0.0BETA1 through 4.4.49, 5.0.0-BETA1 through 5.4.19, 6.0.0-BETA1 through 6.0.19, 6.1.0-BETA1 through 6.1.11, and 6.2.0-BETA1 through 6.2.5.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- REQUIRED
- NONE
- HIGH
- HIGH
CWE-384 - Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
References
Advisory Timeline
- Published