Vulnerability-Lookup

CVE-2021-41268 (GCVE-0-2021-41268)

Vulnerability from cvelistv5 – Published: 2021-11-24 18:55 – Updated: 2024-08-04 03:08

Title

Cookie persistence in Symfony

Summary

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.

Severity ?

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-384 - Session Fixation

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	symfony	symfony	Affected: >= 5.3.0, < 5.3.12

GHSA-QW36-P97W-VCQR

Vulnerability from github – Published: 2021-11-24 20:05 – Updated: 2021-12-01 14:36

Summary

Cookie persistence after password changes in symfony/security-bundle

Details

Description

Since the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password.

Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie.

Resolution

Symfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore.

The patch for this issue is available here for branch 5.3.

Credits

We would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.

Severity ?

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/security-bundle"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "symfony/symfony"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "5.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-41268"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-384"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-11-24T20:00:03Z",
    "nvd_published_at": "2021-11-24T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Description\n-----------\n\nSince the rework of the Remember me cookie in Symfony 5.3, the cookie is not invalidated anymore when the user changes its password. \n\nAttackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie.\n\nResolution\n----------\n\nSymfony now makes the password part of the signature by default. In that way, when the password changes then the cookie is not valid anymore.\n\nThe patch for this issue is available [here](https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc) for branch 5.3.\n\nCredits\n-------\n\nWe would like to thank Thibaut Decherit for reporting the issue and Wouter J for fixing the issue.\n",
  "id": "GHSA-qw36-p97w-vcqr",
  "modified": "2021-12-01T14:36:09Z",
  "published": "2021-11-24T20:05:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41268"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/pull/44243"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2021-41268.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2021-41268.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/symfony/symfony"
    },
    {
      "type": "WEB",
      "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"
    },
    {
      "type": "WEB",
      "url": "https://symfony.com/cve-2021-41268"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cookie persistence after password changes in symfony/security-bundle"
}

GSD-2021-41268

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2021-41268

Aliases

CVE-2021-41268

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-41268",
    "description": "Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.",
    "id": "GSD-2021-41268"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2021-41268"
      ],
      "details": "Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.",
      "id": "GSD-2021-41268",
      "modified": "2023-12-13T01:23:27.577612Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-41268",
        "STATE": "PUBLIC",
        "TITLE": "Cookie persistence in Symfony"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "symfony",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003e= 5.3.0, \u003c 5.3.12"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "symfony"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-384: Session Fixation"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr",
            "refsource": "CONFIRM",
            "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr"
          },
          {
            "name": "https://github.com/symfony/symfony/pull/44243",
            "refsource": "MISC",
            "url": "https://github.com/symfony/symfony/pull/44243"
          },
          {
            "name": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc",
            "refsource": "MISC",
            "url": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc"
          },
          {
            "name": "https://github.com/symfony/symfony/releases/tag/v5.3.12",
            "refsource": "MISC",
            "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-qw36-p97w-vcqr",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.3.0,\u003c5.3.12",
          "affected_versions": "All versions starting from 5.3.0 before 5.3.12",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-384",
            "CWE-937"
          ],
          "date": "2021-11-30",
          "description": "Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.",
          "fixed_versions": [
            "5.3.12"
          ],
          "identifier": "CVE-2021-41268",
          "identifiers": [
            "CVE-2021-41268",
            "GHSA-qw36-p97w-vcqr"
          ],
          "not_impacted": "All versions before 5.3.0, all versions starting from 5.3.12",
          "package_slug": "packagist/symfony/security-bundle",
          "pubdate": "2021-11-24",
          "solution": "Upgrade to version 5.3.12 or above.",
          "title": "Session Fixation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41268",
            "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr",
            "https://github.com/symfony/symfony/releases/tag/v5.3.12",
            "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc",
            "https://github.com/symfony/symfony/pull/44243"
          ],
          "uuid": "739d6516-9c03-45b7-9819-2bf380add788"
        },
        {
          "affected_range": "\u003e=5.3.0,\u003c5.3.12",
          "affected_versions": "All versions starting from 5.3.0 before 5.3.12",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-384",
            "CWE-937"
          ],
          "date": "2021-11-30",
          "description": "`Symfony/SecurityBundle` is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.",
          "fixed_versions": [
            "5.4.0"
          ],
          "identifier": "CVE-2021-41268",
          "identifiers": [
            "CVE-2021-41268",
            "GHSA-qw36-p97w-vcqr"
          ],
          "not_impacted": "All versions before 5.3.0, all versions starting from 5.3.12",
          "package_slug": "packagist/symfony/security-http",
          "pubdate": "2021-11-24",
          "solution": "Upgrade to version 5.4.0 or above.",
          "title": "Session Fixation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41268",
            "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr",
            "https://github.com/symfony/symfony/releases/tag/v5.3.12",
            "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc",
            "https://github.com/symfony/symfony/pull/44243"
          ],
          "uuid": "62f34541-7dd3-4218-aadc-8aaeb07d779e"
        },
        {
          "affected_range": "\u003e=5.3.0,\u003c5.3.12",
          "affected_versions": "All versions starting from 5.3.0 before 5.3.12",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-384",
            "CWE-937"
          ],
          "date": "2021-11-30",
          "description": "`Symfony/SecurityBundle` is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.",
          "fixed_versions": [
            "5.3.12"
          ],
          "identifier": "CVE-2021-41268",
          "identifiers": [
            "CVE-2021-41268",
            "GHSA-qw36-p97w-vcqr"
          ],
          "not_impacted": "All versions starting from 5.3.12",
          "package_slug": "packagist/symfony/security",
          "pubdate": "2021-11-24",
          "solution": "Upgrade to version 5.3.12 or above.",
          "title": "Session Fixation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41268",
            "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr",
            "https://github.com/symfony/symfony/releases/tag/v5.3.12",
            "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc",
            "https://github.com/symfony/symfony/pull/44243"
          ],
          "uuid": "49fd3bd9-30b2-4c96-8075-3afb5af43bee"
        },
        {
          "affected_range": "\u003e=5.3.0,\u003c5.3.12",
          "affected_versions": "All versions starting from 5.3.0 before 5.3.12",
          "cvss_v2": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-384",
            "CWE-937"
          ],
          "date": "2021-11-30",
          "description": "`Symfony/SecurityBundle` is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.",
          "fixed_versions": [
            "5.3.12"
          ],
          "identifier": "CVE-2021-41268",
          "identifiers": [
            "CVE-2021-41268",
            "GHSA-qw36-p97w-vcqr"
          ],
          "not_impacted": "All versions before 5.3.0, all versions starting from 5.3.12",
          "package_slug": "packagist/symfony/symfony",
          "pubdate": "2021-11-24",
          "solution": "Upgrade to version 5.3.12 or above.",
          "title": "Session Fixation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-41268",
            "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr",
            "https://github.com/symfony/symfony/releases/tag/v5.3.12",
            "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc",
            "https://github.com/symfony/symfony/pull/44243"
          ],
          "uuid": "e685b69d-f44f-4953-8b85-a37009d4ece3"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.3.12",
                "versionStartIncluding": "5.3.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-41268"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-384"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr"
            },
            {
              "name": "https://github.com/symfony/symfony/releases/tag/v5.3.12",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"
            },
            {
              "name": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc"
            },
            {
              "name": "https://github.com/symfony/symfony/pull/44243",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/symfony/symfony/pull/44243"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2021-11-30T20:04Z",
      "publishedDate": "2021-11-24T19:15Z"
    }
  }
}

FKIE_CVE-2021-41268

Vulnerability from fkie_nvd - Published: 2021-11-24 19:15 - Updated: 2024-11-21 06:25

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/symfony/symfony/pull/44243	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/symfony/symfony/releases/tag/v5.3.12	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/symfony/symfony/pull/44243	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/symfony/symfony/releases/tag/v5.3.12	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	sensiolabs	symfony	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "13AF17F8-5CAF-4AB6-9A17-131D76C8D57B",
              "versionEndExcluding": "5.3.12",
              "versionStartIncluding": "5.3.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore."
    },
    {
      "lang": "es",
      "value": "Symfony/SecurityBundle es el sistema de seguridad de Symfony, un framework PHP para aplicaciones web y de consola y un conjunto de componentes PHP reusables. Desde la revisi\u00f3n de la cookie Remember me en la versi\u00f3n 5.3.0, la cookie no es invalidada cuando el usuario cambia su contrase\u00f1a. Por lo tanto, los atacantes pueden mantener su acceso a la cuenta aunque se cambie la contrase\u00f1a, siempre y cuando hayan tenido la oportunidad de iniciar sesi\u00f3n una vez y conseguir una cookie remember me v\u00e1lida. A partir de la versi\u00f3n 5.3.12, Symfony hace que la contrase\u00f1a sea parte de la firma por defecto. De esta forma, cuando la contrase\u00f1a cambia, la cookie deja de ser v\u00e1lida"
    }
  ],
  "id": "CVE-2021-41268",
  "lastModified": "2024-11-21T06:25:55.713",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-11-24T19:15:07.817",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/pull/44243"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/pull/44243"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/releases/tag/v5.3.12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-384"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

CERTFR-2021-AVI-902

Vulnerability from certfr_avis - Published: 2021-11-24 - Updated: 2021-11-24

De multiples vulnérabilités ont été découvertes dans Symfony. Elles permettent à un attaquant de provoquer un contournement de la politique de sécurité et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Symfony	Symfony	Symfony versions 5.3.x antérieures à 5.3.12
	Symfony	Symfony	Symfony versions 4.4.x antérieures à 4.4.35

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-41268 (GCVE-0-2021-41268)

GHSA-QW36-P97W-VCQR

Description

Resolution

Credits

GSD-2021-41268

FKIE_CVE-2021-41268

CERTFR-2021-AVI-902

Solution

Tags

Sightings

Nomenclature