Symfony SASSYMFONY:CVE-2018-11406-CSRF-TOKEN-FIXATIONCVE-2018-11406: CSRF Token Fixation
8.5 High
AI Score
Confidence
High
Affected versions
Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue.
The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fixed before its final release.
Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.
Description
By default, a userβs session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens where not erased during logout which allowed for CSRF token fixation.
Resolution
We fixed this issue by clearing all CSRF tokens when the user is logged out.
Credits
I would like to thank KΓ©vin Liagre for reporting this security issue, Christian Flothmann for working on a fix, and the Symfony Core Team for reviewing the patch.
Log in to add a reaction to this post
add a reaction β€ π π
Published in #Security Advisories
Related
