Symfony Security-Bundle vulnerabilities

5 known vulnerabilities affecting symfony/security-bundle.

Total CVEs

5

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

HIGH1MEDIUM3LOW1

Vulnerabilities

Page 1 of 1

CVE-2024-50341LOW≥ 6.2.0, < 6.4.10≥ 7.0.0, < 7.0.10+1 more2024-11-06

CVE-2024-50341 [LOW] CWE-287 Symfony's `Security::login` does not take into account custom `user_checker` Symfony's `Security::login` does not take into account custom `user_checker` ### Description The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. ### Resolution The `Security::login` method now ensure to call the configured `user_checker`. The patch for this issue is available [here](https:

CVE-2022-24895MEDIUM≥ 2.0.0, < 4.4.50≥ 5.0.0, < 5.4.20+3 more2023-02-01

CVE-2022-24895 [MEDIUM] CWE-384 Symfony vulnerable to Session Fixation of CSRF tokens Symfony vulnerable to Session Fixation of CSRF tokens Description When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables [same-site attackers](https://canitakeyoursubdomain.name/) to bypass the CSRF protection mechanism by performing an attack similar to a session-f

CVE-2018-11406HIGH≥ 2.7.0, < 2.7.48≥ 2.8.0, < 2.8.41+3 more2022-05-14

CVE-2018-11406 [HIGH] CWE-352 Symfony CSRF Token Fixation Symfony CSRF Token Fixation An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.

CVE-2018-11408MEDIUMCVSS 6.1≥ 2.7.0, < 2.7.48≥ 2.8.0, < 2.8.41+3 more2022-05-14

CVE-2018-11408 [MEDIUM] CWE-601 Symfony Open Redirect Symfony Open Redirect The security handlers in the Security component in Symfony in 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 have an Open redirect vulnerability when security.http_utils is inlined by a container. NOTE: this issue exists because of an incomplete fix for CVE-2017-16652.

CVE-2021-41268MEDIUM≥ 5.3.0, < 5.3.122021-11-24

CVE-2021-41268 [MEDIUM] CWE-384 Cookie persistence after password changes in symfony/security-bundle Cookie persistence after password changes in symfony/security-bundle Description Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Re