{"id":"CVE-2022-24894","summary":"Symfony storing cookie headers in HttpCache","details":"Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.","aliases":["BIT-symfony-2022-24894","GHSA-h7vf-5wrv-9fhv"],"modified":"2026-03-20T11:59:56.942954Z","published":"2023-02-03T21:46:23.702Z","database_specific":{"cwe_ids":["CWE-285"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24894.json"},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24894.json"},{"type":"ADVISORY","url":"https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24894"},{"type":"FIX","url":"https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"c3ebdbf9cceddb82cd2089aaef8c7b992e536363"},{"fixed":"6bc1c2e2506327daa9a2359ec45f7098ca947728"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"4.4.50"}]}},{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"ea815ba986fe3be54acb5a47b0dc8760cf54e31d"},{"fixed":"7f9c726f539739637a7ffcbc6bf1062e2a432160"}],"database_specific":{"versions":[{"introduced":"5.0.0"},{"fixed":"5.4.20"}]}},{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"aa4e97099b5a67bdc9f2387fe8d099f5c712f81c"},{"fixed":"b101b71ddacfa664485bb09ec6272971e458f49f"}],"database_specific":{"versions":[{"introduced":"6.0.0"},{"fixed":"6.0.20"}]}},{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"c149a0868823d1b0cc01052f4031af2d507c7c9c"},{"fixed":"cd4fd18bf4c0d50dc665bf24b496013d9168e4d6"}],"database_specific":{"versions":[{"introduced":"6.1.0"},{"fixed":"6.1.12"}]}},{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"ed9b9e7795c3e30c6d70c6ecf013a28910f6e15e"},{"fixed":"008d9ac6cd61dd64d273bf5328857c7f97d9d7f6"}],"database_specific":{"versions":[{"introduced":"6.2.0"},{"fixed":"6.2.6"}]}}],"versions":["v2.0.0","v2.0.1","v2.0.10","v2.0.11","v2.0.12","v2.0.13","v2.0.14","v2.0.15","v2.0.16","v2.0.17","v2.0.18","v2.0.19","v2.0.2","v2.0.20","v2.0.21","v2.0.22","v2.0.23","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.0.7","v2.0.8","v2.0.9","v2.1.0","v2.1.0-BETA1","v2.1.0-BETA2","v2.1.0-BETA3","v2.1.0-BETA4","v2.1.0-RC1","v2.1.0-RC2","v2.1.1","v2.1.10","v2.1.11","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.0-BETA1","v2.2.0-BETA2","v2.2.0-RC1","v2.2.0-RC2","v2.2.0-RC3","v2.2.1","v2.2.10","v2.2.11","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.0-BETA1","v2.3.0-BETA2","v2.3.0-RC1","v2.3.1","v2.3.10","v2.3.11","v2.3.12","v2.3.13","v2.3.14","v2.3.15","v2.3.16","v2.3.17","v2.3.18","v2.3.19","v2.3.2","v2.3.20","v2.3.21","v2.3.22","v2.3.23","v2.3.24","v2.3.25","v2.3.26","v2.3.27","v2.3.28","v2.3.29","v2.3.3","v2.3.30","v2.3.31","v2.3.32","v2.3.33","v2.3.34","v2.3.35","v2.3.36","v2.3.37","v2.3.38","v2.3.39","v2.3.4","v2.3.40","v2.3.41","v2.3.42","v2.3.5","v2.3.6","v2.3.7","v2.3.8","v2.3.9","v2.4.0","v2.4.0-BETA1","v2.4.0-BETA2","v2.4.0-RC1","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9","v2.5.0","v2.5.0-BETA1","v2.5.0-BETA2","v2.5.0-RC1","v2.5.1","v2.5.10","v2.5.2","v2.5.3","v2.5.4","v2.5.5","v2.5.6","v2.5.7","v2.5.8","v2.5.9","v2.6.0","v2.6.0-BETA1","v2.6.0-BETA2","v2.6.1","v2.6.10","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.6.7","v2.6.8","v2.6.9","v2.7.0","v2.7.0-BETA1","v2.7.0-BETA2","v2.7.1","v2.7.10","v2.7.11","v2.7.12","v2.7.13","v2.7.14","v2.7.15","v2.7.16","v2.7.17","v2.7.18","v2.7.19","v2.7.2","v2.7.20","v2.7.21","v2.7.22","v2.7.23","v2.7.24","v2.7.25","v2.7.26","v2.7.27","v2.7.28","v2.7.29","v2.7.3","v2.7.30","v2.7.31","v2.7.32","v2.7.33","v2.7.34","v2.7.35","v2.7.36","v2.7.37","v2.7.38","v2.7.39","v2.7.4","v2.7.40","v2.7.41","v2.7.42","v2.7.43","v2.7.44","v2.7.45","v2.7.46","v2.7.47","v2.7.48","v2.7.49","v2.7.5","v2.7.6","v2.7.7","v2.7.8","v2.7.9","v2.8.0","v2.8.0-BETA1","v2.8.1","v2.8.10","v2.8.11","v2.8.12","v2.8.13","v2.8.14","v2.8.15","v2.8.16","v2.8.17","v2.8.18","v2.8.19","v2.8.2","v2.8.20","v2.8.21","v2.8.22","v2.8.23","v2.8.24","v2.8.25","v2.8.26","v2.8.27","v2.8.28","v2.8.29","v2.8.3","v2.8.30","v2.8.31","v2.8.32","v2.8.33","v2.8.34","v2.8.35","v2.8.36","v2.8.37","v2.8.38","v2.8.39","v2.8.4","v2.8.40","v2.8.41","v2.8.42","v2.8.43","v2.8.44","v2.8.45","v2.8.46","v2.8.47","v2.8.48","v2.8.5","v2.8.6","v2.8.7","v2.8.8","v2.8.9","v3.0.0","v3.0.0-BETA1","v3.0.1","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.1.0","v3.1.0-BETA1","v3.1.0-RC1","v3.1.1","v3.1.2","v3.1.3","v3.1.4","v3.1.5","v3.1.6","v3.1.7","v3.1.8","v3.1.9","v3.2.0","v3.2.0-BETA1","v3.2.0-RC1","v3.2.0-RC2","v3.2.1","v3.2.10","v3.2.11","v3.2.12","v3.2.13","v3.2.2","v3.2.3","v3.2.4","v3.2.5","v3.2.6","v3.2.7","v3.2.8","v3.2.9","v3.3.0","v3.3.0-BETA1","v3.3.0-RC1","v3.3.1","v3.3.10","v3.3.11","v3.3.12","v3.3.13","v3.3.14","v3.3.15","v3.3.2","v3.3.3","v3.3.4","v3.3.5","v3.3.6","v3.3.7","v3.3.8","v3.3.9","v3.4.0","v3.4.0-BETA1","v3.4.0-BETA2","v3.4.0-BETA3","v3.4.0-BETA4","v3.4.0-RC1","v3.4.0-RC2","v3.4.1","v3.4.10","v3.4.11","v3.4.12","v3.4.13","v3.4.14","v3.4.15","v3.4.16","v3.4.17","v3.4.18","v3.4.19","v3.4.2","v3.4.20","v3.4.21","v3.4.22","v3.4.23","v3.4.24","v3.4.25","v3.4.26","v3.4.27","v3.4.28","v3.4.29","v3.4.3","v3.4.30","v3.4.31","v3.4.32","v3.4.33","v3.4.34","v3.4.35","v3.4.36","v3.4.37","v3.4.38","v3.4.39","v3.4.4","v3.4.40","v3.4.41","v3.4.42","v3.4.43","v3.4.44","v3.4.45","v3.4.46","v3.4.47","v3.4.48","v3.4.5","v3.4.6","v3.4.7","v3.4.8","v3.4.9","v4.0.0","v4.0.0-BETA1","v4.0.0-BETA2","v4.0.0-BETA3","v4.0.0-BETA4","v4.0.0-RC1","v4.0.0-RC2","v4.0.1","v4.0.10","v4.0.11","v4.0.12","v4.0.13","v4.0.2","v4.0.3","v4.0.4","v4.0.5","v4.0.6","v4.0.7","v4.0.8","v4.0.9","v4.1.0","v4.1.0-BETA1","v4.1.0-BETA2","v4.1.0-BETA3","v4.1.1","v4.1.10","v4.1.2","v4.1.3","v4.1.4","v4.1.5","v4.1.6","v4.1.7","v4.1.8","v4.1.9","v4.2.0","v4.2.0-BETA1","v4.2.0-BETA2","v4.2.0-RC1","v4.2.1","v4.2.10","v4.2.2","v4.2.3","v4.2.4","v4.2.5","v4.2.6","v4.2.7","v4.2.8","v4.2.9","v4.3.0","v4.3.0-BETA1","v4.3.0-BETA2","v4.3.0-RC1","v4.3.1","v4.3.10","v4.3.2","v4.3.3","v4.3.4","v4.3.5","v4.3.6","v4.3.7","v4.3.8","v4.3.9","v4.4.0","v4.4.0-BETA1","v4.4.0-BETA2","v4.4.0-RC1","v4.4.1","v4.4.10","v4.4.11","v4.4.12","v4.4.13","v4.4.14","v4.4.15","v4.4.16","v4.4.17","v4.4.18","v4.4.19","v4.4.2","v4.4.20","v4.4.21","v4.4.22","v4.4.23","v4.4.24","v4.4.25","v4.4.26","v4.4.27","v4.4.28","v4.4.29","v4.4.3","v4.4.30","v4.4.31","v4.4.32","v4.4.33","v4.4.34","v4.4.35","v4.4.36","v4.4.37","v4.4.38","v4.4.39","v4.4.4","v4.4.40","v4.4.41","v4.4.42","v4.4.43","v4.4.44","v4.4.45","v4.4.46","v4.4.47","v4.4.48","v4.4.49","v4.4.5","v4.4.6","v4.4.7","v4.4.8","v4.4.9","v5.0.0","v5.0.1","v5.0.10","v5.0.2","v5.0.3","v5.0.4","v5.0.5","v5.0.6","v5.0.7","v5.0.8","v5.0.9","v5.1.0","v5.1.0-BETA1","v5.1.0-RC1","v5.1.0-RC2","v5.1.1","v5.1.10","v5.1.2","v5.1.3","v5.1.4","v5.1.5","v5.1.6","v5.1.7","v5.1.8","v5.1.9","v5.2.0","v5.2.0-BETA1","v5.2.0-BETA2","v5.2.0-BETA3","v5.2.0-RC1","v5.2.0-RC2","v5.2.1","v5.2.10","v5.2.11","v5.2.12","v5.2.13","v5.2.14","v5.2.2","v5.2.3","v5.2.4","v5.2.5","v5.2.6","v5.2.7","v5.2.8","v5.2.9","v5.3.0","v5.3.0-BETA1","v5.3.0-BETA2","v5.3.0-BETA3","v5.3.0-BETA4","v5.3.0-RC1","v5.3.1","v5.3.10","v5.3.11","v5.3.12","v5.3.13","v5.3.14","v5.3.15","v5.3.16","v5.3.2","v5.3.3","v5.3.4","v5.3.5","v5.3.6","v5.3.7","v5.3.8","v5.3.9","v5.4.0","v5.4.0-BETA1","v5.4.0-BETA2","v5.4.0-BETA3","v5.4.0-RC1","v5.4.1","v5.4.10","v5.4.11","v5.4.12","v5.4.13","v5.4.14","v5.4.15","v5.4.16","v5.4.17","v5.4.18","v5.4.19","v5.4.2","v5.4.3","v5.4.4","v5.4.5","v5.4.6","v5.4.7","v5.4.8","v5.4.9","v6.0.0","v6.0.1","v6.0.10","v6.0.11","v6.0.12","v6.0.13","v6.0.14","v6.0.15","v6.0.16","v6.0.17","v6.0.18","v6.0.19","v6.0.2","v6.0.3","v6.0.4","v6.0.5","v6.0.6","v6.0.7","v6.0.8","v6.0.9","v6.1.0","v6.1.1","v6.1.10","v6.1.11","v6.1.2","v6.1.3","v6.1.4","v6.1.5","v6.1.6","v6.1.7","v6.1.8","v6.1.9","v6.2.0","v6.2.1","v6.2.2","v6.2.3","v6.2.4","v6.2.5"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24894.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:L"}]}