8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23601

GHSA ID

GHSA-vvmr-8829-6whx

EPSS Score

0.35496%

CWE

CWE-352

Published

2/1/2022

Updated

4/22/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23601

CVE-2022-23601: CSRF token missing in Symfony

Description

The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled.

In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks.

Resolution

Symfony restored the default configuration to enable the CSRF protection by default.

The patch for this issue is available here for branch 5.3.

Credits

We would like to thank Catalin Dan and David Lochner for reporting the issue and Jérémy Derussé for fixing the issue.

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23601

GHSA ID

GHSA-vvmr-8829-6whx

EPSS Score

0.35496%

CWE

CWE-352

Published

2/1/2022

Updated

4/22/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/framework-bundle	composer	= 5.3.14	5.3.15
symfony/framework-bundle	composer	= 5.4.3	5.4.4
symfony/framework-bundle	composer	= 6.0.3	6.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from incorrect execution order in dependency injection configuration. The commit f0ffb775 shows critical changes:- 1) Moving form configuration registration AFTER CSRF configuration- 2) Adding explicit test cases for CSRF default enablement- 3) Reordering component initialization dependenciesThe original code processed form configuration (lines 314-333 in diff) before registering CSRF protection (line 462), preventing proper default CSRF enablement. The vulnerable function is the load() method where this misordering occurred, making CSRF protection contingent on explicit configuration rather than session status.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ription ----------- T** Sym*ony *orm *ompon*nt provi**s * *SR* prot**tion m****nism *y usin* * r*n*om tok*n inj**t** in t** *orm *n* usin* t** s*ssion to stor* *n* *ontrol t** tok*n su*mitt** *y t** us*r. W**n usin* t** *r*m*work*un*l*, t*is pro

Reasoning

T** vuln*r**ility st*mm** *rom in*orr**t *x**ution or**r in **p*n**n*y inj**tion *on*i*ur*tion. T** *ommit ******** s*ows *riti**l ***n**s:- *) Movin* *orm *on*i*ur*tion r**istr*tion **T*R *SR* *on*i*ur*tion- *) ***in* *xpli*it t*st **s*s *or *SR* **

8.1

Basic Information

Concerned about an active attack path?

CVE-2022-23601: CSRF token missing in Symfony

Description

Resolution

Credits

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI