← Back

CVE-2022-24894

nvd nist
Published: Feb 3, 2023Modified: Apr 10, 2025

JSON object

Loading...
8.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Exploitability: 2.8 / Impact: 5.9
Source: NVD

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.

Affected (5)

Products: Sensiolabs: Symfony
Sensiolabs
1 product
Symfony
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Sensiolabs
Symfony
From 2.0.0 to 4.4.50
Symfony
From 5.0.0 to 5.4.2
Symfony
From 6.0.0 to 6.0.20
Symfony
From 6.1.0 to 6.1.12
Symfony
From 6.2.0 to 6.2.6

Related CWEs

CWE-285
Improper Authorization
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

References (6)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Mailing List
Source: af854a3a-2127-422b-91ae-364da2661108
Patch
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Mailing List

Timeline

No history available yet.