6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24895

GHSA ID

GHSA-3gv2-29qc-v67m

EPSS Score

0.02053%

CWE

CWE-384

Published

2/1/2023

Updated

7/12/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24895

CVE-2022-24895: Symfony vulnerable to Session Fixation of CSRF tokens

Description

When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

Resolution

Symfony removes all CSRF tokens from the session on successful login.

The patch for this issue is available here for branch 4.4.

Credits

We would like to thank Marco Squarcina for reporting the issue and Nicolas Grekas for fixing it.

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24895

GHSA ID

GHSA-3gv2-29qc-v67m

EPSS Score

0.02053%

CWE

CWE-384

Published

2/1/2023

Updated

7/12/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
symfony/security-bundle	composer	>= 2.0.0, < 4.4.50	4.4.50
symfony/security-bundle	composer	>= 5.0.0, < 5.4.20	5.4.20
symfony/security-bundle	composer	>= 6.0.0, < 6.0.20	6.0.20
symfony/security-bundle	composer	>= 6.1.0, < 6.1.12	6.1.12
symfony/security-bundle	composer	>= 6.2.0, < 6.2.6	6.2.6
symfony/symfony	composer	>= 2.0.0, < 4.4.50	4.4.50
symfony/symfony	composer	>= 5.0.0, < 5.4.20	5.4.20
symfony/symfony	composer	>= 6.0.0, < 6.0.20	6.0.20
symfony/symfony	composer	>= 6.1.0, < 6.1.12	6.1.12
symfony/symfony	composer	>= 6.2.0, < 6.2.6	6.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Symfony's session management not clearing CSRF tokens during login. The SessionAuthenticationStrategy's onAuthentication method was responsible for session migration but lacked CSRF token clearance. The patch introduced a ClearableTokenStorageInterface dependency and added CSRF token clearance in this method, confirming this was the vulnerable point. The commit diff explicitly shows the addition of CSRF token clearing logic in this function during migration.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**s*ription ----------- W**n *ut**nti**tin* us*rs Sym*ony *y ****ult r***n*r*t*s t** s*ssion I* upon lo*in, *ut pr*s*rv*s t** r*st o* s*ssion *ttri*ut*s. ****us* t*is *o*s not *l**r *SR* tok*ns upon lo*in, t*is mi**t *n**l*s [s*m*-sit* *tt**k*rs](*t

Reasoning

T** vuln*r**ility st*ms *rom Sym*ony's s*ssion m*n***m*nt not *l**rin* *SR* tok*ns *urin* lo*in. T** `S*ssion*ut**nti**tionStr*t**y`'s `on*ut**nti**tion` m*t*o* w*s r*sponsi*l* *or s*ssion mi*r*tion *ut l**k** *SR* tok*n *l**r*n**. T** p*t** intro*u*

6.3

Basic Information

Concerned about an active attack path?

CVE-2022-24895: Symfony vulnerable to Session Fixation of CSRF tokens

Description

Resolution

Credits

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI