CVE-2022-24895: Symfony vulnerable to Session Fixation of CSRF tokens
6.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.02053%
CWE
Published
2/1/2023
Updated
7/12/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| symfony/security-bundle | composer | >= 2.0.0, < 4.4.50 | 4.4.50 |
| symfony/security-bundle | composer | >= 5.0.0, < 5.4.20 | 5.4.20 |
| symfony/security-bundle | composer | >= 6.0.0, < 6.0.20 | 6.0.20 |
| symfony/security-bundle | composer | >= 6.1.0, < 6.1.12 | 6.1.12 |
| symfony/security-bundle | composer | >= 6.2.0, < 6.2.6 | 6.2.6 |
| symfony/symfony | composer | >= 2.0.0, < 4.4.50 | 4.4.50 |
| symfony/symfony | composer | >= 5.0.0, < 5.4.20 | 5.4.20 |
| symfony/symfony | composer | >= 6.0.0, < 6.0.20 | 6.0.20 |
| symfony/symfony | composer | >= 6.1.0, < 6.1.12 | 6.1.12 |
| symfony/symfony | composer | >= 6.2.0, < 6.2.6 | 6.2.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Symfony's session management not clearing CSRF tokens during login. The SessionAuthenticationStrategy's onAuthentication method was responsible for session migration but lacked CSRF token clearance. The patch introduced a ClearableTokenStorageInterface dependency and added CSRF token clearance in this method, confirming this was the vulnerable point. The commit diff explicitly shows the addition of CSRF token clearing logic in this function during migration.