CVE-2022-23601

Name	CVE-2022-23601
Description	Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
symfony (PTS)	jessie, jessie (lts)	2.3.21+dfsg-4+deb8u6	fixed
	stretch (security)	2.8.7+dfsg-1.3+deb9u3	fixed
	stretch (lts), stretch	2.8.7+dfsg-1.3+deb9u5	fixed
	buster (security), buster, buster (lts)	3.4.22+dfsg-2+deb10u3	fixed
	bullseye	4.4.19+dfsg-2+deb11u6	fixed
	bookworm	5.4.23+dfsg-1+deb12u2	fixed
	bookworm (security)	5.4.23+dfsg-1+deb12u4	fixed
	sid, trixie	6.4.15+dfsg-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
symfony	source	(unstable)	(not affected)

Notes

- symfony <not-affected> (Vulnerable code not present; no Debian released version contained the vulnerable code)
https://symfony.com/blog/cve-2022-23601-csrf-token-missing-in-forms
https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50