Session Fixation in Symfony

#VU82998 Session Fixation in Symfony

Published: 2023-11-13 | Updated: 2023-11-13

Vulnerability identifier: #VU82998

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-46733

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Symfony
Web applications / CMS

Vendor: SensioLabs

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the session fixation issue within the SessionStrategyListener. A remote attacker can gain acces to the original user's session.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Symfony: 5.4.21 - 6.3.7

External links
http://github.com/symfony/symfony/security/advisories/GHSA-m2wj-r6g3-fxfx
http://github.com/symfony/symfony/commit/7467bd7e3f888b333102bc664b5e02ef1e7f88b9
http://github.com/symfony/symfony/commit/dc356499d5ceb86f7cf2b4c7f032eca97061ed74
http://github.com/symfony/symfony/releases/tag/v5.4.31
http://github.com/symfony/symfony/releases/tag/v6.3.8

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Symfony