Lucene search

K
githubGitHub Advisory DatabaseGHSA-J5JH-HPR4-H332
HistoryMay 14, 2022 - 2:47 a.m.

Symfony Session Fixation Vulnerability

2022-05-1402:47:28
CWE-384
GitHub Advisory Database
github.com
8

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.2%

A session fixation vulnerability within the “Remember Me” login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven’t been released yet and the fix will be included in their first stable releases.

Affected configurations

Vulners
Node
symfonytwigRange<2.7.7
OR
symfonytwigRange<2.6.12
OR
symfonytwigRange<2.3.35
OR
symfonytwigRange<2.7.7
OR
symfonytwigRange<2.6.12
OR
symfonytwigRange<2.7.7
OR
symfonytwigRange<2.6.12
OR
symfonytwigRange<2.3.35

References

6.8 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.2%