GHSA-j5jh-hpr4-h332
Suggest an improvement- Source
- https://github.com/advisories/GHSA-j5jh-hpr4-h332
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-j5jh-hpr4-h332/GHSA-j5jh-hpr4-h332.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-j5jh-hpr4-h332
- Aliases
- Published
- 2022-05-14T02:47:28Z
- Modified
- 2024-02-16T08:09:28.922004Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Symfony Session Fixation Vulnerability
- Details
-
A session fixation vulnerability within the "Remember Me" login feature allows an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker. This issue has been fixed in Symfony 2.3.35, 2.6.12, and 2.7.7. Note that no fixes are provided for Symfony 2.4 and 2.5 as they are not maintained anymore. Symfony 2.8 and 3.0 haven't been released yet and the fix will be included in their first stable releases.
- Database specific
{ "nvd_published_at": "2015-12-07T20:59:00Z", "cwe_ids": [ "CWE-384" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-08-02T21:06:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-8124
- https://github.com/symfony/symfony/pull/16631
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2015-8124.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2015-8124.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2015-8124.yaml
- https://symfony.com/blog/cve-2015-8124-session-fixation-in-the-remember-me-login-feature
- https://symfony.com/cve-2015-8124
- https://web.archive.org/web/20201209020014/http://www.securityfocus.com/archive/1/537183/100/0/threaded
- https://web.archive.org/web/20210125123853/http://www.securityfocus.com/bid/77694
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173271.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173300.html
- http://seclists.org/fulldisclosure/2015/Dec/89
- http://www.debian.org/security/2015/dsa-3402
Affected packages
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Affected versions
v2.*
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.5.0-BETA1
v2.5.0-BETA2
v2.5.0-RC1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.5.10
v2.5.11
v2.5.12
v2.6.0-BETA1
v2.6.0-BETA2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Affected versions
v2.*
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.5.0-BETA1
v2.5.0-BETA2
v2.5.0-RC1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.5.10
v2.5.11
v2.5.12
v2.6.0-BETA1
v2.6.0-BETA2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security
Affected versions
v2.*
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.4.10
v2.5.0-BETA1
v2.5.0-BETA2
v2.5.0-RC1
v2.5.0
v2.5.1
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.5.8
v2.5.9
v2.5.10
v2.5.11
v2.5.12
v2.6.0-BETA1
v2.6.0-BETA2
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.6.9
v2.6.10
v2.6.11
Packagist / symfony/security
Package
- Name
- symfony/security
- Purl
- pkg:composer/symfony/security