CVE-2018-11385

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2018-11385
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11385.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2018-11385
Aliases
Downstream
Published
2018-06-13T16:29:00.437Z
Modified
2026-03-15T22:25:28.304033Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
9975b1eca3de4db792a2c3e4e16f676a4aadcd46
Fixed
34d6116e2b80351c5a6f591285a4e9381b0dd127
Introduced
5615b92cd452cd54f1433a3f53de87c096a1107f
Fixed
24fc640d544a67869a4106de5fc303c597398629
Introduced
5a7e31c48e7cd4831efa409fffb661beb9995174
Fixed
4639525c796227ec36652ad97192a5eb3de74f76
Introduced
0a47db379b8cc74cdd84e1e6870fafc4a4ac8351
Fixed
8eb567d8398ce31a402ea8db3e6b5b1faf121cbc
Introduced
26ca7023b1c45dce951da7206ed70049267d27bc
Fixed
a54fa082103acd599b7d5de9204dc1f4aa8a5615
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2e913a829cfbbf9cb38b321bdff1806b44b192eb
Database specific 
{
    "versions": [
        {
            "introduced": "2.7.0"
        },
        {
            "fixed": "2.7.48"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.41"
        },
        {
            "introduced": "3.3.0"
        },
        {
            "fixed": "3.3.17"
        },
        {
            "introduced": "3.4.0"
        },
        {
            "fixed": "3.4.11"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "fixed": "4.0.11"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "8.0"
        }
    ]
}

Affected versions

v2.*
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.40
v2.3.41
v2.3.42
v2.6.10
v2.7.0
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.17
v2.7.18
v2.7.19
v2.7.2
v2.7.20
v2.7.21
v2.7.22
v2.7.23
v2.7.24
v2.7.25
v2.7.26
v2.7.27
v2.7.28
v2.7.29
v2.7.3
v2.7.30
v2.7.31
v2.7.32
v2.7.33
v2.7.34
v2.7.35
v2.7.36
v2.7.37
v2.7.38
v2.7.39
v2.7.4
v2.7.40
v2.7.41
v2.7.42
v2.7.43
v2.7.44
v2.7.45
v2.7.46
v2.7.47
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-11385.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "9.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "28"
            }
        ]
    }
]