5.9

CVSS Score

Basic Information

CVE ID

CVE-2022-24894

GHSA ID

GHSA-h7vf-5wrv-9fhv

EPSS Score

CWE

CWE-285

Published

2/1/2023

Updated

2/13/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24894

CVE-2022-24894:
Symfony storing cookie headers in HttpCache

Description

The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients.

In a recent AbstractSessionListener change, the response might now contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session.

Resolution

The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

(GitHub Advisory)

5.9

CVSS Score

Basic Information

CVE ID

CVE-2022-24894

GHSA ID

GHSA-h7vf-5wrv-9fhv

EPSS Score

CWE

CWE-285

Published

2/1/2023

Updated

2/13/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/http-kernel	composer	>= 2.0.0, < 4.4.50	4.4.50
symfony/http-kernel	composer	>= 5.0.0, < 5.4.20	5.4.20
symfony/http-kernel	composer	>= 6.0.0, < 6.0.20	6.0.20
symfony/http-kernel	composer	>= 6.1.0, < 6.1.12	6.1.12
symfony/http-kernel	composer	>= 6.2.0, < 6.2.6	6.2.6
symfony/symfony	composer	>= 2.0.0, < 4.4.50	4.4.50
symfony/symfony	composer	>= 5.0.0, < 5.4.20	5.4.20
symfony/symfony	composer	>= 6.0.0, < 6.0.20	6.0.20
symfony/symfony	composer	>= 6.1.0, < 6.1.12	6.1.12
symfony/symfony	composer	>= 6.2.0, < 6.2.6	6.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the HTTP cache system storing responses with 'Set-Cookie' headers. The patch modifies the Store class constructor to accept private headers and adds logic in the write method to remove them. The pre-patch version of write() lacked this header removal step, making it the vulnerable function. The test case added in StoreTest.php explicitly verifies this behavior, confirming write() as the entry point for improper header storage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ription ----------- T** Sym*ony *TTP ***** syst*m **ts *s * r*v*rs* proxy: it *****s *TTP r*spons*s (in*lu*in* *****rs) *n* r*turns t**m to *li*nts. In * r***nt `**str**tS*ssionList*n*r` ***n**, t** r*spons* mi**t now *ont*in * `S*t-*ooki*` ***

Reasoning

T** vuln*r**ility st*ms *rom t** *TTP ***** syst*m storin* r*spons*s wit* 'S*t-*ooki*' *****rs. T** p*t** mo*i*i*s t** Stor* *l*ss *onstru*tor to ****pt priv*t* *****rs *n* ***s lo*i* in t** writ* m*t*o* to r*mov* t**m. T** pr*-p*t** v*rsion o* writ*

5.9

Basic Information

Concerned about an active attack path?

CVE-2022-24894: Symfony storing cookie headers in HttpCache

Description

Resolution

Credits

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24894:
Symfony storing cookie headers in HttpCache

Vulnerability Intelligence
Miggo AI