CVE-2022-24894 — Improper Authorization in Symfony

CWE-285 — Improper Authorization8 documents6 sources

Severity

8.8HIGHNVD

CNA5.9

EPSS

0.2%

top 59.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Http-kernel

Timeline

PublishedFeb 3

Latest updateFeb 18

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶Packagistsymfony/http-kernel2.0.0 — 4.4.50+4

▶Packagistsymfony/symfony2.0.0 — 4.4.50+4

▶NVDsensiolabs/symfony2.0.0 — 4.4.50+4

▶Debiansymfony/symfony< 4.4.19+dfsg-2+deb11u2+3

▶Ubuntusymfony/symfony< 4.3.8+dfsg-1ubuntu1+esm2+2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

symfony vulnerabilities↗2025-02-18

▶

OSV

CVE-2022-24894: Symfony is a PHP framework for web and console applications and a set of reusable PHP components↗2023-02-03

▶

CVEList

Symfony storing cookie headers in HttpCache↗2023-02-03

▶

GHSA

Symfony storing cookie headers in HttpCache↗2023-02-01

▶

OSV

Symfony storing cookie headers in HttpCache↗2023-02-01

▶

📋Vendor Advisories

Ubuntu

Symfony vulnerabilities↗2025-02-18

▶

Debian

CVE-2022-24894: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...↗2022

▶