CVE-2018-11406: CSRF Token Fixation
Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 versions of the Symfony Security component are affected by this security issue.
The issue has been fixed in Symfony 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11. 4.1.0 has also been fixed before its final release.
Note that no fixes are provided for Symfony 3.0, 3.1, and 3.2 as they are not maintained anymore.
By default, a user’s session is invalidated when the user is logged out. This
behavior can be disabled through the
invalidate_session option. In this
case, CSRF tokens where not erased during logout which allowed for
CSRF token fixation.
We fixed this issue by clearing all CSRF tokens when the user is logged out.
I would like to thank Kévin Liagre for reporting this security issue, Christian Flothmann for working on a fix, and the Symfony Core Team for reviewing the patch.
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.