BIT-symfony-2022-24894

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/symfony/BIT-symfony-2022-24894.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-symfony-2022-24894
Aliases
Published
2024-03-06T11:07:13.200Z
Modified
2024-03-06T11:25:28.861Z
Summary
[none]
Details

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the AbstractSessionListener, the response might contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.

Database specific
{
    "cpes": [
        "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
}
References

Affected packages

Bitnami / symfony

Package

Name
symfony
Purl
pkg:bitnami/symfony

Severity

  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
2.0.0
Fixed
4.4.50
Introduced
5.0.0
Fixed
5.4.2
Introduced
6.0.0
Fixed
6.0.20
Introduced
6.1.0
Fixed
6.1.12
Introduced
6.2.0
Fixed
6.2.6