#VU58369 Session Fixation in security-bundle


Published: 2021-11-25

Vulnerability identifier: #VU58369

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-41268

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
security-bundle
Web applications / Modules and components for CMS

Vendor: Symfony

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the cookie is not invalidated anymore when the user changes its password. A remote authenticated attacker can maintain their access to the account even if the password is changed.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

security-bundle: 5.3.0 - 5.3.11

External links
http://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
http://github.com/symfony/symfony/releases/tag/v5.3.12
http://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
http://github.com/symfony/symfony/pull/44243

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities n Symfony
Session Fixation in Symfony security-bundle