Fluid Attacks Database

Description

Symfony Session Fixation Vulnerability An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	symfony/security	>=2.7.0 <2.7.48 \|\| >=2.8.0 <2.8.41 \|\| >=3.0.0 <3.3.17 \|\| >=3.4.0 <3.4.11 \|\| >=4.0.0 <4.0.11	2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11
debian 11	symfony	>=0 <3.4.12+dfsg-1	3.4.12+dfsg-1
packagist	symfony/symfony	>=2.7.0 <2.7.48 \|\| >=2.8.0 <2.8.41 \|\| >=3.0.0 <3.3.17 \|\| >=3.4.0 <3.4.11 \|\| >=4.0.0 <4.0.11	2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11
packagist	symfony/security-http	>=2.7.0 <2.7.48 \|\| >=2.8.0 <2.8.41 \|\| >=3.0.0 <3.3.17 \|\| >=3.4.0 <3.4.11 \|\| >=4.0.0 <4.0.11	2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11
debian 12	symfony	>=0 <3.4.12+dfsg-1	3.4.12+dfsg-1
debian 13	symfony	>=0 <3.4.12+dfsg-1	3.4.12+dfsg-1
packagist	symfony/security-guard	>=2.8.0 <2.8.41 \|\| >=3.0.0 <3.4.11 \|\| >=4.0.0 <4.0.11	2.8.41, 3.4.11, 4.0.11
debian 14	symfony	>=0 <3.4.12+dfsg-1	3.4.12+dfsg-1

Aliases

1. CVE-2018-113852. NVD-2018-113853. OSV-2018-113854. OSV-DEBIAN-2018-113855. GCVE-2018-113856. lists.debian.org7. SECURITY-TRACKER-CVE-2018-113858. SYMFONY-cve-2018-11385

References

1. https://github.com/symfony/symfony/commit/194caff28b56707ea98e746c6582c06acbb9bc3f2. https://github.com/symfony/symfony/commit/fa5bf4b17d45ee32f41bd1a9abc3fb6c134ec89b3. https://github.com/symfony/symfony/commit/fad1e1f2ea336e85c889feece9d0e23fbfcf777d4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2018-11385.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-11385.yaml6. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11385.yaml7. https://lists.fedoraproject.org/archives/list/[email protected]/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV8. https://lists.fedoraproject.org/archives/list/[email protected]/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW9. https://lists.fedoraproject.org/archives/list/[email protected]/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH10. https://symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authentication11. https://symfony.com/cve-2018-1138512. https://www.debian.org/security/2018/dsa-4262