CVE-2023-46733 — Session Fixation in Symfony

CWE-384 — Session Fixation6 documents5 sources

Severity

6.5MEDIUMNVD

EPSS

1.1%

top 22.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Security-http

Timeline

PublishedNov 10

Latest updateNov 12

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶Packagistsymfony/symfony5.4.21 — 5.4.31+1

▶NVDsensiolabs/symfony5.4.21 — 5.4.31+1

▶Packagistsymfony/security-http5.4.21 — 5.4.31+1

▶Debiansymfony/symfony< 5.4.23+dfsg-1+deb12u1+2

▶CVEListV5symfony/symfony>= 5.4.21, < 5.4.31, >= 6.2.7, < 6.3.8+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Symfony possible session fixation vulnerability↗2023-11-12

▶

GHSA

Symfony possible session fixation vulnerability↗2023-11-12

▶

CVEList

Symfony possible session fixation vulnerability↗2023-11-10

▶

OSV

CVE-2023-46733: Symfony is a PHP framework for web and console applications and a set of reusable PHP components↗2023-11-10

▶

📋Vendor Advisories

Debian

CVE-2023-46733: symfony - Symfony is a PHP framework for web and console applications and a set of reusabl...↗2023

▶