8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11385

GHSA ID

GHSA-g4rg-rw65-8hfg

EPSS Score

0.75386%

CWE

CWE-384

Published

5/14/2022

Updated

2/8/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-11385

CVE-2018-11385: Symfony Session Fixation Vulnerability

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

(GitHub Advisory)

8.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-11385

GHSA ID

GHSA-g4rg-rw65-8hfg

EPSS Score

0.75386%

CWE

CWE-384

Published

5/14/2022

Updated

2/8/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/symfony	composer	>= 2.7.0, < 2.7.48	2.7.48
symfony/symfony	composer	>= 2.8.0, < 2.8.41	2.8.41
symfony/symfony	composer	>= 3.4.0, < 3.4.11	3.4.11
symfony/symfony	composer	>= 4.0.0, < 4.0.11	4.0.11
symfony/symfony	composer	>= 3.0.0, < 3.3.17	3.3.17
symfony/security-http	composer	>= 2.7.0, < 2.7.48	2.7.48
symfony/security-http	composer	>= 2.8.0, < 2.8.41	2.8.41
symfony/security-http	composer	>= 3.0.0, < 3.3.17	3.3.17
symfony/security-http	composer	>= 3.4.0, < 3.4.11	3.4.11
symfony/security-http	composer	>= 4.0.0, < 4.0.11	4.0.11
symfony/security	composer	>= 2.7.0, < 2.7.48	2.7.48
symfony/security	composer	>= 2.8.0, < 2.8.41	2.8.41
symfony/security	composer	>= 3.0.0, < 3.3.17	3.3.17
symfony/security	composer	>= 3.4.0, < 3.4.11	3.4.11
symfony/security	composer	>= 4.0.0, < 4.0.11	4.0.11

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from missing session migration in Guard authentication handlers. The patch added migrateSession() calls to onSuccess methods in multiple listeners. The commit diff shows UsernamePasswordJsonAuthenticationListener was missing this critical session rotation step before token storage, leaving sessions vulnerable to fixation. This matches the CVE description of Guard component session fixation and the explicit patch implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** S**urity *ompon*nt in Sym*ony *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *.*.x ***or* *.*.**, *n* *.*.x ***or* *.*.**. * s*ssion *ix*tion vuln*r**ility wit*in t** "*u*r*" lo*in ***tur* m*y *llow *n *

Reasoning

T** vuln*r**ility st*mm** *rom missin* s*ssion mi*r*tion in *u*r* *ut**nti**tion **n*l*rs. T** p*t** ***** `mi*r*t*S*ssion()` **lls to `onSu***ss` m*t*o*s in multipl* list*n*rs. T** *ommit *i** s*ows `Us*rn*m*P*sswor*Json*ut**nti**tionList*n*r` w*s m

8.1

Basic Information

Concerned about an active attack path?

CVE-2018-11385: Symfony Session Fixation Vulnerability

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI