CVE-2018-11385: Session Fixation Issue for Guard Authentication
Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10 and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue.
The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11.
Note that no fixes are provided for Symfony 3.0, 3.1 and 3.2 as they are not maintained anymore.
A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate the victim towards the web application if the session id value was previously known to the attacker.
The described vulnerability allows an attacker to access a Symfony web application with the attacked user's permissions. The attack requires that the "Guard authentication" login feature is used by the application. Additionally the attacker either got access to the PHPSESSID cookie value or has successfully set a new value in the user's browser. Because of its requirements the described vulnerability poses a low risk only.
The fix migrates the session after a successful login via the "Guard" login feature.
Additionally, the session was also migrated after successful login of several other authentication systems that are rarely used in a session environment (like a browser). Because of this, a session fixation exploit is highly unlikely. However, a patch was included to be as secure as possible.
I would like to thank Chris Wilkinson for reporting this security issue, Ryan Weaver for providing a fix, and the Symfony Core Team for reviewing the patch.