CVE-2022-23601

NameCVE-2022-23601
DescriptionSymfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)jessie, jessie (lts)2.3.21+dfsg-4+deb8u6fixed
stretch (security)2.8.7+dfsg-1.3+deb9u3fixed
stretch (lts), stretch2.8.7+dfsg-1.3+deb9u5fixed
buster (security), buster, buster (lts)3.4.22+dfsg-2+deb10u3fixed
bullseye4.4.19+dfsg-2+deb11u6fixed
bookworm5.4.23+dfsg-1+deb12u2fixed
bookworm (security)5.4.23+dfsg-1+deb12u4fixed
sid, trixie6.4.16+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysource(unstable)(not affected)

Notes

- symfony <not-affected> (Vulnerable code not present; no Debian released version contained the vulnerable code)
https://symfony.com/blog/cve-2022-23601-csrf-token-missing-in-forms
https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50

Search for package or bug name: Reporting problems