===================================================================== CERT-Renater Note d'Information No. 2023/VULN466 _____________________________________________________________________ DATE : 15/11/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running symfony/security-http versions prior to 5.4.31, 6.3.8, symfony/symfony versions prior to 4.4.51, 5.4.31, 6.3.8, symfony/webhook versions prior to 6.3.8, symfony/twig-bridge symfony/twig-bridge. ===================================================================== https://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx https://github.com/symfony/symfony/security/advisories/GHSA-72x2-5c85-6wmr https://github.com/symfony/symfony/security/advisories/GHSA-q847-2q57-wmr3 _____________________________________________________________________ Possible session fixation Moderate nicolas-grekas published GHSA-m2wj-r6g3-fxfx Package symfony/security-http (Composer) Affected versions >=5.4.21, <5.4.31 >= 6.2.7, < 6.3.8 Patched versions 5.4.31 6.3.8 Package symfony/symfony (Composer) Affected versions >=5.4.21, <5.4.31 >= 6.2.7, < 6.3.8 Patched versions 5.4.31 6.3.8 Description Description SessionStrategyListener does not always migrate the session after a successful login. It only migrate the session when the logged-in user identifier changes. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations. Resolution Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated. The patch for this issue is available here for branch 5.4. Credits We would like to thank Robert Meijers for reporting the issue and providing the fix. Severity Moderate CVE ID CVE-2023-46733 Weaknesses CWE-384 Credits @RobertMe RobertMe Reporter _____________________________________________________________________ Potential XSS in WebhookController Moderate nicolas-grekas published GHSA-72x2-5c85-6wmr Package symfony/symfony (Composer) Affected versions >=6.3.0, <6.3.8 Patched versions 6.3.8 symfony/webhook (Composer) Affected versions >=6.3.0, <6.3.8 Patched versions 6.3.8 Description Description The error message in WebhookController returns unescaped user-submitted input. Resolution WebhookController now doesn't return any user-submitted input in its response. The patch for this issue is available here for branch 6.3. Credits We would like to thank Maxime Aknin for reporting the issue and to Nicolas Grekas for providing the fix. Severity Moderate CVE ID CVE-2023-46735 Weaknesses CWE-80 Credits @maxime-aknin maxime-aknin Reporter @nicolas-grekas nicolas-grekas Remediation developer _____________________________________________________________________ Potential XSS vulnerabilities in CodeExtension filters Low nicolas-grekas published GHSA-q847-2q57-wmr Package symfony/symfony (Composer) Affected versions >=2.0.0,<4.4.51 >=5.0.0,<5.4.31 >=6.0.0,<6.3.8 Patched versions 4.4.51 5.4.31 4.4.51 symfony/twig-bridge (Composer) Affected versions >=2.0.0,<4.4.51 >=5.0.0,<5.4.31 >=6.0.0,<6.3.8 Patched versions 4.4.51 5.4.31 6.3.8 Description Description Some Twig filters in CodeExtension use "is_safe=html" but don't actually ensure their input is safe. Resolution Symfony now escapes the output of the affected filters. The patch for this issue is available here for branch 4.4. Credits We would like to thank Pierre Rudloff for reporting the issue and to Nicolas Grekas for providing the fix. Severity Low CVE ID CVE-2023-46734 Weaknesses CWE-80 Credits @Rudloff Rudloff Reporter @nicolas-grekas nicolas-grekas Remediation developer ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================