CVE-2023-46733

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Starting in versions 5.4.21 and 6.2.7 and prior to versions 5.4.31 and 6.3.8, `SessionStrategyListener` does not migrate the session after every successful login. It does so only in case the logged in user changes by means of checking the user identifier. In some use cases, the user identifier doesn't change between the verification phase and the successful login, while the token itself changes from one type (partially-authenticated) to another (fully-authenticated). When this happens, the session id should be regenerated to prevent possible session fixations, which is not the case at the moment. As of versions 5.4.31 and 6.3.8, Symfony now checks the type of the token in addition to the user identifier before deciding whether the session id should be regenerated.

How to fix CVE-2023-46733

To remediate CVE-2023-46733, upgrade the affected package to a fixed version below.

• —upgrade to 5.4.31 or later
• —upgrade to 5.4.23+dfsg-1+deb12u1 or later
• —upgrade to 5.4.31 or later
• —upgrade to 5.4.31 or later

Is CVE-2023-46733 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• >= 5.4.21, < 5.4.31, >= 6.2.7, < 6.3.8
• from 0, < 5.4.23+dfsg-1+deb12u1
• >= 5.4.21, < 5.4.31
• >= 5.4.21, < 5.4.31

CVSS scores

References (8)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-46733
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-46733
• PATCHgithub.com/symfony/symfony
• WEBgithub.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2023-46733.yaml