Insecure session management In symfony/symfony
Description
Symfony CSRF Token Fixation An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 packagist | 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 | ||
packagist | 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 | ||
packagist | 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 | ||
packagist | 2.7.48, 2.8.41, 3.3.17, 3.4.11, 4.0.11 | ||
 debian 12 | 3.4.12+dfsg-1 | ||
debian 11 | 3.4.12+dfsg-1 | ||
debian 13 | 3.4.12+dfsg-1 | ||
packagist | 2.7.48, 2.8.41, 3.4.11, 4.0.11 | ||
debian 14 | 3.4.12+dfsg-1 |
Aliases
1. 2. 3. 4. 5. 6. 7.
References
1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11.