Symfony CSRF Vulnerability
Moderate severity
GitHub Reviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Feb 7, 2024
Package
Affected versions
>= 2.7.0, < 2.7.38
>= 2.8.0, < 2.8.31
>= 3.0.0, < 3.2.14
>= 3.3.0, < 3.3.13
Patched versions
2.7.38
2.8.31
3.2.14
3.3.13
>= 2.7.0, < 2.7.38
>= 2.8.0, < 2.8.31
>= 3.0.0, < 3.2.14
>= 3.3.0, < 3.3.13
2.7.38
2.8.31
3.2.14
3.3.13
>= 2.7.0, < 2.7.38
>= 2.8.0, < 2.8.31
>= 3.0.0, < 3.2.14
>= 3.3.0, < 3.3.13
2.7.38
2.8.31
3.2.14
3.3.13
Description
Published by the National Vulnerability Database
Aug 6, 2018
Published to the GitHub Advisory Database
May 13, 2022
Reviewed
Jul 26, 2023
Last updated
Feb 7, 2024
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.
References