CVE-2015-8124: Symfony Session Fixation Vulnerability
3.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4794%
CWE
Published
5/14/2022
Updated
2/8/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
symfony/symfony | composer | >= 2.3.0, < 2.3.35 | 2.3.35 |
symfony/symfony | composer | >= 2.4.0, < 2.6.12 | 2.6.12 |
symfony/symfony | composer | >= 2.7.0, < 2.7.7 | 2.7.7 |
symfony/security-http | composer | >= 2.4.0, < 2.6.12 | 2.6.12 |
symfony/security-http | composer | >= 2.7.0, < 2.7.7 | 2.7.7 |
symfony/security | composer | >= 2.3.0, < 2.3.35 | 2.3.35 |
symfony/security | composer | >= 2.4.0, < 2.6.12 | 2.6.12 |
symfony/security | composer | >= 2.7.0, < 2.7.7 | 2.7.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing session migration after remember-me authentication. The patch adds sessionStrategy->onAuthentication()
in RememberMeListener::handle()
to trigger session migration. In vulnerable versions, the absence of this session ID rotation in the handle()
method allowed attackers to fixate sessions. The handle()
method is the entry point for remember-me authentication processing and would appear in stack traces during exploitation.