CVE-2022-24894

描述

Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. Resolution ---------- The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb) for branch 4.4. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

受影響套件(4)

• Bitnami/symfony>= 2.0.0, < 4.4.50, >= 5.0.0, < 5.4.2, >= 6.0.0, < 6.0.20, >= 6.1.0, < 6.1.12, >= 6.2.0, < 6.2.6
• Debian/symfonyfrom 0, < 4.4.19+dfsg-2+deb11u2
• Packagist/symfony/http-kernel>= 2.0.0, < 4.4.50
• Packagist/symfony/symfony>= 2.0.0, < 4.4.50

CVSS 分數

參考連結(9)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-24894
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-24894
• PATCHhttps://github.com/symfony/symfony
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
• WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
• WEBhttps://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
• WEBhttps://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
• WEBhttps://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
• WEBhttps://symfony.com/cve-2022-24894