CVE-2022-24894: Prevent storing cookie headers in HttpCache
Symfony versions >=2.0.0, <4.4.50, >= 5.0.0, < 5.4.20, >= 6.0.0, < 6.0.20, >= 6.1.0, < 6.1.12, and >= 6.2.0, < 6.2.6 of the Symfony Security Bundle are affected by this security issue.
The issue has been fixed in Symfony 4.4.50, 5.4.20, 6.0.20, 6.1.12, and 6.2.6. All other versions are not maintained anymore.
The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients.
In a recent
AbstractSessionListener change, the response might now contain a
Set-Cookie header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session.
HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers.
The default value for this parameter is
Set-Cookie, but it can be overridden or extended by the application.
The patch for this issue is available here for branch 4.4.
We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.
Have found a security issue in Symfony? Send the details to security [at] symfony.com and don't disclose it publicly until we can provide a fix for it.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.