{"id":"CVE-2022-24895","summary":"Symfony vulnerable to Session Fixation of CSRF tokens","details":"Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. This issue has been fixed in the 4.4 branch.","aliases":["BIT-symfony-2022-24895","GHSA-3gv2-29qc-v67m"],"modified":"2026-05-28T04:07:52.218264747Z","published":"2023-02-03T21:45:26.887Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24895.json","cwe_ids":["CWE-384"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24895.json"},{"type":"ADVISORY","url":"https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml"},{"type":"ADVISORY","url":"https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24895"},{"type":"FIX","url":"https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946"},{"type":"FIX","url":"https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/security-bundle","events":[{"introduced":"0"},{"fixed":"076fd2088ada33d760758d98ff07ddedbf567946"}],"database_specific":{"source":"REFERENCES"}}],"versions":["v4.4.44","v4.4.42","v4.4.41","v4.4.38","v4.4.37","v4.4.36","v4.4.34","v4.4.27","v4.4.26","v4.4.25","v4.4.23","v4.4.22","v4.4.21","v4.4.20","v4.4.19","v4.4.18","v4.4.17","v4.4.16","v4.4.15","v4.4.14","v4.4.13","v4.4.12","v4.4.11","v4.4.9","v4.4.10","v4.4.8","v4.4.7","v4.4.6","v4.4.5","v4.4.4","v4.4.3","v4.4.2","v4.4.1","v4.4.0-RC1","v4.4.0","v4.4.0-BETA2","v4.4.0-BETA1","v4.3.0-RC1","v4.3.0-BETA2","v4.3.0-BETA1","v4.3.0","v4.2.1","v4.2.0-RC1","v4.2.0-BETA2","v4.2.0","v4.2.0-BETA1","v4.1.0-BETA1","v4.0.0-RC1","v4.0.0-BETA4","v4.0.0-BETA3","v4.0.0-BETA2","v4.0.0-BETA1","v3.3.0-RC1","v3.3.0-BETA1","v3.2.0-RC1","v3.2.0-BETA1","v3.1.0-BETA1","v3.0.0","v3.0.0-BETA1","v2.6.0-BETA1","v2.5.0-BETA1","v2.5.0-RC1","v2.5.0-BETA2","v2.5.0","v2.4.0-RC1","v2.4.0","v2.4.0-BETA2","v2.4.0-BETA1","v2.1.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24895.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/security-http","events":[{"introduced":"0"},{"fixed":"7fa4a0cac16f02cb534a6e9adcdb17385f94004f"},{"introduced":"18f96c1f4aff294d6872908741731ff0993dbd6f"},{"fixed":"0236efe37462df3204e758e3a55661a43285d948"},{"introduced":"6530589fc40cdceda230fb6a69173ce52fa8b5ca"},{"fixed":"8cf1b05371898dd138d543eb3b8f72cbe5da9704"},{"introduced":"7350abfec0228dabb8dafde17d8a821f65c6dd4f"},{"fixed":"e671c9748c439492c4a2d07862ee63a9a6fbf5c1"},{"introduced":"14c79cf944acf24511b22eca631f5524b3d091a8"},{"fixed":"77c95eada3e3f0bf3a50f89817a18819b357376e"}],"database_specific":{"source":"CPE_RANGE","extracted_events":[{"introduced":"2.0.0"},{"fixed":"4.4.50"},{"introduced":"5.0.0"},{"fixed":"5.4.20"},{"introduced":"6.0.0"},{"fixed":"6.0.20"},{"introduced":"6.1.0"},{"fixed":"6.1.12"},{"introduced":"6.2.0"},{"fixed":"6.2.6"}],"cpe":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"}}],"versions":["v6.2.5","v6.1.11","v6.0.19","v5.4.19","v4.4.48","v6.2.2","v6.1.9","v6.0.17","v5.4.17","v6.2.0","v6.1.7","v6.0.15","v5.4.15","v6.1.6","v6.0.14","v5.4.13","v4.4.44","v6.1.5","v6.0.13","v5.4.11","v6.1.4","v6.0.12","v5.4.12","v6.1.3","v6.0.11","v4.4.42","v6.1.2","v6.0.10","v5.4.10","v6.1.1","v6.1.0-RC1","v6.1.0","v6.0.9","v5.4.9","v4.4.41","v6.0.8","v5.4.8","v6.0.7","v4.4.37","v5.4.5","v6.0.5","v6.0.3","v5.4.3","v6.0.2","v5.4.2","v4.4.36","v6.0.1","v5.4.0","v4.4.34","v6.0.0","v5.4.0-RC1","v5.4.0-BETA2","v5.4.0-BETA1","v4.4.30","v4.4.27","v4.4.26","v4.4.25","v4.4.24","v5.3.0-RC1","v4.4.22","v5.3.0-BETA4","v5.3.0-BETA3","v5.3.0-BETA2","v5.3.0-BETA1","v4.4.21","v4.4.20","v4.4.19","v4.4.18","v4.4.17","v5.2.0","v5.2.0-RC2","v5.2.0-RC1","v5.2.0-BETA3","v4.4.16","v5.2.0-BETA2","v5.2.0-BETA1","v4.4.15","v4.4.14","v4.4.13","v4.4.12","v4.4.9","v4.4.11","v4.4.10","v5.1.0-RC1","v4.4.8","v5.1.0-BETA1","v4.4.7","v4.4.6","v4.4.5","v4.4.4","v4.4.3","v4.4.2","v4.4.1","v4.4.0","v4.4.0-RC1","v5.0.0-RC1","v5.0.0-BETA2","v4.4.0-BETA2","v5.0.0-BETA1","v4.4.0-BETA1","v4.3.0-BETA2","v4.3.0-BETA1","v4.2.0-RC1","v4.2.0-BETA2","v4.2.0","v4.2.0-BETA1","v4.1.0-BETA1","v4.0.0-RC1","v4.0.0-BETA4","v4.0.0-BETA3","v4.0.0-BETA2","v4.0.0-BETA1","v3.3.0-RC1","v3.3.0-BETA1","v3.2.0-RC1","v3.2.0-BETA1","v3.1.1","v3.1.0-RC1","v3.1.0-BETA1","v3.1.0","v3.0.0","v3.0.0-BETA1","v2.6.0-BETA1","v2.5.0-BETA1","v2.5.2","v2.5.1","v2.5.0-RC1","v2.5.0","v2.5.0-BETA2","v2.4.0-RC1","v2.4.0-BETA2","v2.4.0-BETA1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24895.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/symfony/symfony","events":[{"introduced":"c3ebdbf9cceddb82cd2089aaef8c7b992e536363"},{"fixed":"6bc1c2e2506327daa9a2359ec45f7098ca947728"},{"introduced":"ea815ba986fe3be54acb5a47b0dc8760cf54e31d"},{"fixed":"7f9c726f539739637a7ffcbc6bf1062e2a432160"},{"introduced":"aa4e97099b5a67bdc9f2387fe8d099f5c712f81c"},{"fixed":"b101b71ddacfa664485bb09ec6272971e458f49f"},{"introduced":"c149a0868823d1b0cc01052f4031af2d507c7c9c"},{"fixed":"cd4fd18bf4c0d50dc665bf24b496013d9168e4d6"},{"introduced":"ed9b9e7795c3e30c6d70c6ecf013a28910f6e15e"},{"fixed":"008d9ac6cd61dd64d273bf5328857c7f97d9d7f6"},{"fixed":"5909d74ecee359ea4982fcf4331aaf2e489a1fd4"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"2.0.0"},{"fixed":"4.4.50"},{"introduced":"5.0.0"},{"fixed":"5.4.20"},{"introduced":"6.0.0"},{"fixed":"6.0.20"},{"introduced":"6.1.0"},{"fixed":"6.1.12"},{"introduced":"6.2.0"},{"fixed":"6.2.6"}],"cpe":"cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*"}}],"versions":["v6.2.5","v6.1.11","v6.0.19","v5.4.19","v4.4.49","v6.2.4","v6.1.10","v6.0.18","v5.4.18","v6.2.3","v6.1.9","v6.0.17","v5.4.17","v6.2.2","v6.2.1","v6.2.0","v6.1.8","v6.0.16","v5.4.16","v6.1.7","v6.0.15","v5.4.15","v4.4.48","v6.1.6","v6.0.14","v5.4.14","v4.4.47","v6.1.5","v6.0.13","v5.4.13","v4.4.46","v6.1.4","v6.0.12","v5.4.12","v4.4.45","v6.1.3","v6.0.11","v5.4.11","v4.4.44","v6.1.2","v6.0.10","v5.4.10","v4.4.43","v6.1.1","v6.1.0","v6.0.9","v5.4.9","v4.4.42","v6.0.8","v5.4.8","v4.4.41","v6.0.7","v5.4.7","v4.4.40","v6.0.6","v5.4.6","v4.4.39","v6.0.5","v5.4.5","v4.4.38","v5.4.3","v6.0.4","v5.4.4","v6.0.3","v4.4.37","v6.0.2","v5.4.2","v4.4.36","v4.4.35","v6.0.1","v5.4.1","v6.0.0","v5.4.0","v5.4.0-RC1","v4.4.34","v5.4.0-BETA3","v5.4.0-BETA2","v5.4.0-BETA1","v4.4.33","v4.4.32","v4.4.31","v4.4.30","v4.4.25","v4.4.29","v4.4.28","v4.4.27","v4.4.26","v4.4.24","v5.3.0-BETA4","v4.4.23","v5.3.0-BETA3","v5.3.0-BETA2","v4.4.22","v5.3.0-BETA1","v4.4.21","v4.4.20","v4.4.19","v4.4.18","v4.4.17","v5.2.0-BETA3","v4.4.16","v5.2.0-BETA2","v5.2.0-BETA1","v4.4.15","v4.4.14","v4.4.13","v4.4.12","v4.4.11","v4.4.10","v4.4.9","v5.1.0-BETA1","v4.4.8","v4.4.7","v4.4.6","v4.4.5","v4.4.4","v4.4.3","v4.4.2","v4.4.1","v4.4.0","v5.0.0-RC1","v4.4.0-RC1","v5.0.0-BETA2","v4.4.0-BETA2","v5.0.0-BETA1","v4.4.0-BETA1","v4.3.0-BETA1","v4.2.0-BETA2","v4.2.0-BETA1","v4.0.0-BETA4","v4.0.0-BETA3","v4.0.0-BETA2","v4.0.0-BETA1","v3.3.0-BETA1","v3.2.0-RC1","v3.2.0-BETA1","v3.0.0","v3.0.0-BETA1","v2.6.0-BETA1","v2.5.0-BETA1","v2.5.0-BETA2","v2.4.0-BETA2","v2.4.0-BETA1","v2.3.0-BETA2","v2.3.0-BETA1","v2.2.0-BETA2","v2.2.0-BETA1","v2.1.0","v2.1.0-RC2","v2.1.0-RC1","v2.1.0-BETA4","v2.1.0-BETA3","v2.1.0-BETA2","v2.1.0-BETA1","v2.0.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-24895.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"}]}