Symfony Session Fixation Vulnerability
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 8, 2024
Package
Affected versions
>= 2.7.0, < 2.7.48
>= 2.8.0, < 2.8.41
>= 3.0.0, < 3.3.17
>= 3.4.0, < 3.4.11
>= 4.0.0, < 4.0.11
Patched versions
2.7.48
2.8.41
3.3.17
3.4.11
4.0.11
>= 2.7.0, < 2.7.48
>= 2.8.0, < 2.8.41
>= 3.0.0, < 3.3.17
>= 3.4.0, < 3.4.11
>= 4.0.0, < 4.0.11
2.7.48
2.8.41
3.3.17
3.4.11
4.0.11
>= 2.7.0, < 2.7.48
>= 2.8.0, < 2.8.41
>= 3.4.0, < 3.4.11
>= 4.0.0, < 4.0.11
>= 3.0.0, < 3.3.17
2.7.48
2.8.41
3.4.11
4.0.11
3.3.17
Description
Published by the National Vulnerability Database
Jun 13, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 24, 2023
Last updated
Feb 8, 2024
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.
References