logo

Database

Session Fixation In symfony/security-http

Description

Symfony Session Fixation Vulnerability A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2015-81242. NVD-2015-81243. OSV-2015-81244. OSV-DEBIAN-2015-81245. GCVE-2015-81246. SECURITY-TRACKER-CVE-2015-8124

References

1. https://github.com/symfony/symfony/pull/166312. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2015-8124.yaml3. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2015-8124.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-8124.yaml5. https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature6. https://symfony.com/cve-2015-81247. https://web.archive.org/web/20201209020014/http://www.securityfocus.com/archive/1/537183/100/0/threaded8. https://web.archive.org/web/20210125123853/http://www.securityfocus.com/bid/776949. http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html10. http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html11. http://seclists.org/fulldisclosure/2015/Dec/8912. http://www.debian.org/security/2015/dsa-3402

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.