#VU71735 Session Fixation in http-kernel - CVE-2022-24894


Vulnerability identifier: #VU71735

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-24894

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
http-kernel
Web applications / Modules and components for CMS

Vendor: Symfony

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the cookie headers are stored in HttpCache. A remote attacker can retrieve the victim's session.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

http-kernel: 2.0.0 - 6.2.5

External links
https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for symfony
Fedora 37 update for php-symfony4
Fedora 36 update for php-symfony4
Multiple vulnerabilities in symfony
Session Fixation in Symfony http-kernel