GitHub Advisory DatabaseGHSA-J5JH-HPR4-H332Symfony Session Fixation Vulnerability
6.8 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
87.2%
A session fixation vulnerability within the “Remember Me” login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven’t been released yet and the fix will be included in their first stable releases.
Affected configurations
References
lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
seclists.org/fulldisclosure/2015/Dec/89
www.debian.org/security/2015/dsa-3402
github.com/advisories/GHSA-j5jh-hpr4-h332
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2015-8124.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2015-8124.yaml
github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-8124.yaml
github.com/symfony/symfony/pull/16631
nvd.nist.gov/vuln/detail/CVE-2015-8124
symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature
symfony.com/cve-2015-8124
web.archive.org/web/20201209020014/www.securityfocus.com/archive/1/537183/100/0/threaded
web.archive.org/web/20210125123853/www.securityfocus.com/bid/77694
Related
6.8 Medium
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.015 Low
EPSS
Percentile
87.2%