An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the Guard login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Symfony | Sensiolabs | 2.7.0 (including) | 2.7.48 (excluding) |
Symfony | Sensiolabs | 2.8.0 (including) | 2.8.41 (excluding) |
Symfony | Sensiolabs | 3.3.0 (including) | 3.3.17 (excluding) |
Symfony | Sensiolabs | 3.4.0 (including) | 3.4.11 (excluding) |
Symfony | Sensiolabs | 4.0.0 (including) | 4.0.11 (excluding) |
Symfony | Ubuntu | artful | * |
Symfony | Ubuntu | bionic | * |
Symfony | Ubuntu | esm-apps/bionic | * |
Symfony | Ubuntu | esm-apps/xenial | * |
Symfony | Ubuntu | upstream | * |
Symfony | Ubuntu | xenial | * |
Such a scenario is commonly observed when: