===================================================================== CERT-Renater Note d'Information No. 2023/VULN062 _____________________________________________________________________ DATE : 10/02/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Symfony versions prior to 4.4.50, 5.4.20, 6.0.20, 6.1.12, 6.2.6. ===================================================================== https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv _____________________________________________________________________ Possible CSRF token fixation Low fabpot published GHSA-3gv2-29qc-v67m Feb 1, 2023 Package symfony/security-bundle (Composer) Affected versions >=2.0.0, <4.4.50 >= 5.0.0, < 5.4.20 >= 6.0.0, < 6.0.20 >= 6.1.0, < 6.1.12 >= 6.2.0, < 6.2.6 Patched versions 4.4.50 5.4.20 6.0.20 6.1.12 6.2.6 Description Description When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. Resolution Symfony removes all CSRF tokens from the session on successful login. The patch for this issue is available here for branch 4.4. Credits We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it. Severity Low CVE ID CVE-2022-24895 Weaknesses No CWEs Credits @nicolas-grekas nicolas-grekas @lavish lavish _____________________________________________________________________ Prevent storing cookie headers in HttpCache Moderate fabpot published GHSA-h7vf-5wrv-9fhv Package symfony/http-kernel (Composer) Affected versions >=2.0.0, <4.4.50 >= 5.0.0, < 5.4.20 >= 6.0.0, < 6.0.20 >= 6.1.0, < 6.1.12 >= 6.2.0, < 6.2.6 Patched versions 4.4.50 5.4.20 6.0.20 6.1.12 6.2.6 Description Description The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. Resolution The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application. The patch for this issue is available here for branch 4.4. Credits We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it. Severity Moderate CVE ID CVE-2022-24894 Weaknesses No CWEs Credits @nicolas-grekas nicolas-grekas @shyim shyim ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================