CVE-2021-41268

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-41268

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41268.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-41268

Aliases

Related

GHSA-qw36-p97w-vcqr

Published

2021-11-24T19:15:07.817Z

Modified

2026-03-20T11:44:34.211703Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

bc3abacc8bed6ca1e6924bed48580b85eccf4e82

Fixed

256c34a45b79fdc6276a8c941a1656713ee1ffec

Fixed

36a808b857cd3240244f4b224452fb1e70dc6dfc

Database specific

{
    "versions": [
        {
            "introduced": "5.3.0"
        },
        {
            "fixed": "5.3.12"
        }
    ]
}

Affected versions

v4.*

v4.4.25

v4.4.26

v4.4.27

v4.4.28

v4.4.29

v4.4.30

v4.4.31

v4.4.32

v4.4.33

v4.4.34

v5.*

v5.2.10

v5.2.11

v5.2.12

v5.2.13

v5.2.14

v5.3.0

v5.3.1

v5.3.10

v5.3.11

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.3.6

v5.3.7

v5.3.8

v5.3.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-41268.json"