Vulnerability DatabaseCVE-2022-24894
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2022-24894
Published:February 03, 2023
Updated:May 17, 2026
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the "AbstractSessionListener", the response might contain a "Set-Cookie" header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's session. This issue has been patched and is available for branch 4.4.
Affected Packages
symfony/http-kernel (PHP):
Affected version(s) >=v6.2.0 <v6.2.6
Fix Suggestion:
Update to version v6.2.6
symfony/symfony (PHP):
Affected version(s) >=v6.0.0 <v6.0.20
Fix Suggestion:
Update to version v6.0.20
symfony/http-kernel (PHP):
Affected version(s) >=v6.1.0 <v6.1.12
Fix Suggestion:
Update to version v6.1.12
symfony/http-kernel (PHP):
Affected version(s) >=v5.0.0 <v5.4.20
Fix Suggestion:
Update to version v5.4.20
symfony/http-kernel (PHP):
Affected version(s) >=v2.0.0 <v4.4.50
Fix Suggestion:
Update to version v4.4.50
symfony/symfony (PHP):
Affected version(s) >=v2.0.0 <v4.4.50
Fix Suggestion:
Update to version v4.4.50
symfony/symfony (PHP):
Affected version(s) >=v6.1.0 <v6.1.12
Fix Suggestion:
Update to version v6.1.12
symfony/http-kernel (PHP):
Affected version(s) >=v6.0.0 <v6.0.20
Fix Suggestion:
Update to version v6.0.20
symfony/symfony (PHP):
Affected version(s) >=v5.0.0 <v5.4.20
Fix Suggestion:
Update to version v5.4.20
symfony/symfony (PHP):
Affected version(s) >=v6.2.0 <v6.2.6
Fix Suggestion:
Update to version v6.2.6
Related Resources (10)
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2022-24894.yaml
https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24894.json
https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb
https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html
https://security-tracker.debian.org/tracker/CVE-2022-24894
https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv
https://symfony.com/cve-2022-24894
https://nvd.nist.gov/vuln/detail/CVE-2022-24894
https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/http-kernel/CVE-2022-24894.yaml
https://github.com/symfony/symfony
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.9
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Authorization
CWE-285
EPSS
Base Score:
0.18