Ubuntu update for symfony

Published: 2025-02-18

Risk	High
Patch available	YES
Number of vulnerabilities	9
CVE-ID	CVE-2022-24894 CVE-2022-24895 CVE-2023-46734 CVE-2024-50340 CVE-2024-50341 CVE-2024-51996 CVE-2024-50342 CVE-2024-50343 CVE-2024-50345
CWE-ID	CWE-384 CWE-352 CWE-79 CWE-20 CWE-447 CWE-287 CWE-918 CWE-601
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #4 is available.
Vulnerable software	Ubuntu Operating systems & Components / Operating system php-symfony (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 9 vulnerabilities.

1) Session Fixation

EUVDB-ID: #VU71735

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-24894

CWE-ID: CWE-384 - Session Fixation

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the cookie headers are stored in HttpCache. A remote attacker can retrieve the victim's session.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site request forgery

EUVDB-ID: #VU71736

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-24895

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Cross-site scripting

EUVDB-ID: #VU82996

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-46734

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in CodeExtension filters. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Input validation error

EUVDB-ID: #VU99967

Risk: Medium

CVSSv4.0: 5.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-50340

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input with enabled register_argv_argc PHP directive. A remote attacker can pass specially crafted URL to the application and manipulate current PHP environment.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

5) Unimplemented or Unsupported Feature in UI

EUVDB-ID: #VU99962

Risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50341

CWE-ID: CWE-447 - Unimplemented or Unsupported Feature in UI

Exploit availability: No

Description

The vulnerability allows a remote user to bypass security restrictions.

The vulnerability exists due to the custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method. A remote user can bypass security restrictions and gain unauthorized access to the application.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

6) Improper authentication

EUVDB-ID: #VU100537

Risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2024-51996

CWE-ID: CWE-287 - Improper Authentication

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to an error during authentication when using the persisted remember-me cookie. The application does not check if the username persisted in the database matches the username attached with the cookie. A remote non-authenticated attacker can bypass authentication process and gain unauthorized access to the application.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

7) Server-Side Request Forgery (SSRF)

EUVDB-ID: #VU99966

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-50342

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

Exploit availability: No

Description

The disclosed vulnerability allows a user attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input when using NoPrivateNetworkHttpClient. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

8) Input validation error

EUVDB-ID: #VU99963

Risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50343

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote user to bypass security restrictions.

The vulnerability exists due to improper validation of single quote characters within the validator. A remote user can pass specially crafted input to the application and bypass certain security restrictions.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

9) Open redirect

EUVDB-ID: #VU99965

Risk: Low

CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-50345

CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

Exploit availability: No

Description

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to improper sanitization of user-supplied data within the Request class. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Mitigation

Update the affected package symfony to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

php-symfony (Ubuntu package): before Ubuntu Pro

CPE2.3

cpe:2.3:o:canonical:php-symfony_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7272-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.