#VU58369 Session Fixation in security-bundle - CVE-2021-41268

Cybersecurity Help s.r.o.

Published: 2021-11-25

Vulnerability identifier: #VU58369

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-41268

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
security-bundle
Web applications / Modules and components for CMS

Vendor: Symfony

Description

The vulnerability allows a local user to compromise the target system.

The vulnerability exists due to the cookie is not invalidated anymore when the user changes its password. A remote authenticated attacker can maintain their access to the account even if the password is changed.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

security-bundle: 5.3.0 RC1 - 5.3.11

External links
https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
https://github.com/symfony/symfony/releases/tag/v5.3.12
https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
https://github.com/symfony/symfony/pull/44243

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities n Symfony

Session Fixation in Symfony security-bundle