CVE-2021-41268

Published: 24 November 2021

Symfony/SecurityBundle is the security system for Symfony, a PHP framework for web and console applications and a set of reusable PHP components. Since the rework of the Remember me cookie in version 5.3.0, the cookie is not invalidated when the user changes their password. Attackers can therefore maintain their access to the account even if the password is changed as long as they have had the chance to login once and get a valid remember me cookie. Starting with version 5.3.12, Symfony makes the password part of the signature by default. In that way, when the password changes, then the cookie is not valid anymore.

Priority

Cvss 3 Severity Score

8.8

Score breakdown

Status

Package	Release	Status
symfony Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Not vulnerable (code not present)
	hirsute	Ignored (end of life)
	impish	Not vulnerable (code not present)
	jammy	Not vulnerable (code not present)
	trusty	Ignored (end of standard support)
	upstream	Not vulnerable (debian: Vulnerable code never in released version in unstable)
	xenial	Not vulnerable (code not present)
	Patches: upstream: https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc

Severity score breakdown

Parameter	Value
Base score	8.8
Attack vector	Network
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›