CVE-2022-24895 — Session Fixation in Symfony

CWE-384 — Session Fixation CWE-613 — Insufficient Session Expiration8 documents6 sources

Severity

8.8HIGHNVD

CNA6.3

EPSS

0.0%

top 94.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Security-bundle

Timeline

PublishedFeb 3

Latest updateFeb 18

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶Packagistsymfony/symfony2.0.0 — 4.4.50+4

▶NVDsensiolabs/symfony2.0.0 — 4.4.50+4

▶Packagistsymfony/security-bundle2.0.0 — 4.4.50+4

▶Debiansymfony/symfony< 4.4.19+dfsg-2+deb11u2+3

▶Ubuntusymfony/symfony< 4.3.8+dfsg-1ubuntu1+esm2+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

symfony vulnerabilities↗2025-02-18

▶

CVEList

Symfony vulnerable to Session Fixation of CSRF tokens↗2023-02-03

▶

OSV

CVE-2022-24895: Symfony is a PHP framework for web and console applications and a set of reusable PHP components↗2023-02-03

▶

OSV

Symfony vulnerable to Session Fixation of CSRF tokens↗2023-02-01

▶

GHSA

Symfony vulnerable to Session Fixation of CSRF tokens↗2023-02-01

▶

📋Vendor Advisories

Ubuntu

Symfony vulnerabilities↗2025-02-18

▶

Debian

CVE-2022-24895: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...↗2022

▶