Symfony CSRF Token Fixation
High severity
GitHub Reviewed
Published
May 14, 2022
to the GitHub Advisory Database
•
Updated Feb 8, 2024
Package
Affected versions
>= 2.7.0, < 2.7.48
>= 2.8.0, < 2.8.41
>= 3.0.0, < 3.3.17
>= 3.4.0, < 3.4.11
>= 4.0.0, < 4.0.11
Patched versions
2.7.48
2.8.41
3.3.17
3.4.11
4.0.11
>= 2.7.0, < 2.7.48
>= 2.8.0, < 2.8.41
>= 3.0.0, < 3.3.17
>= 3.4.0, < 3.4.11
>= 4.0.0, < 4.0.11
2.7.48
2.8.41
3.3.17
3.4.11
4.0.11
>= 2.7.0, < 2.7.48
>= 2.8.0, < 2.8.41
>= 3.0.0, < 3.3.17
>= 3.4.0, < 3.4.11
>= 4.0.0, < 4.0.11
2.7.48
2.8.41
3.3.17
3.4.11
4.0.11
>= 2.7.0, < 2.7.48
>= 2.8.0, < 2.8.41
>= 3.4.0, < 3.4.11
>= 4.0.0, < 4.0.11
>= 3.0.0, < 3.3.17
2.7.48
2.8.41
3.4.11
4.0.11
3.3.17
Description
Published by the National Vulnerability Database
Jun 13, 2018
Published to the GitHub Advisory Database
May 14, 2022
Reviewed
Jul 22, 2023
Last updated
Feb 8, 2024
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. By default, a user's session is invalidated when the user is logged out. This behavior can be disabled through the invalidate_session option. In this case, CSRF tokens were not erased during logout which allowed for CSRF token fixation.
References