Strix
26.1K

CVE-2022-23601

HIGHCVSS 8.8/10EPSS 0.57%

Last modified

CVE-2022-23601 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. EPSS estimates a 0.57% chance of exploitation in the next 30 days.

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Probability
0.57%

42.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
SensiolabsSymfony< 5.3.15
SensiolabsSymfony>= 5.4.0, < 5.4.4
SensiolabsSymfony>= 6.0.0, < 6.0.4

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-23601?
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.
How severe is CVE-2022-23601?
CVE-2022-23601 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 0.57% probability of exploitation in the next 30 days.
How do I fix CVE-2022-23601?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-23601?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST