Test ID:	1.3.6.1.4.1.25623.1.1.1.2.2023.3493
Category:	Debian Local Security Checks
Title:	Debian: Security Advisory (DLA-3493-1)
Summary:	The remote host is missing an update for the Debian 'symfony' package(s) announced via the DLA-3493-1 advisory.
Description:	Summary: The remote host is missing an update for the Debian 'symfony' package(s) announced via the DLA-3493-1 advisory. Vulnerability Insight: Multiple security vulnerabilities were found in symfony, a PHP framework for web and console applications and a set of reusable PHP components, which could lead to information disclosure or impersonation. CVE-2021-21424 James Isaac, Mathias Brodala and Laurent Minguet discovered that it was possible to enumerate users without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user. 403s are now returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. CVE-2022-24894 Soner Sayakci discovered that when the Symfony HTTP cache system is enabled, the response header might be stored with a Set-Cookie header and returned to some other clients, thereby allowing an attacker to retrieve the victim's session. The HttpStore constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is Set-Cookie, but it can be overridden or extended by the application. CVE-2022-24895 Marco Squarcina discovered that CSRF tokens weren't cleared upon login, which could enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation. For Debian 10 buster, these problems have been fixed in version 3.4.22+dfsg-2+deb10u2. We recommend that you upgrade your symfony packages. For the detailed security status of symfony please refer to its security tracker page at: [link moved to references] Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references] Affected Software/OS: 'symfony' package(s) on Debian 10. Solution: Please install the updated package(s). CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2021-21424 https://github.com/symfony/symfony/security/advisories/GHSA-5pv8-ppvj-4h68 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VRUS2H2SSOQWNLBD35SKIWIDQEMV2PD3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RH7TMM5CHQYBFFGXWRPJDPB3SKCZXI2M/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UC7BND775DVZDQT3RMGD2HVB2PKLJDJW/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KENRNLB3FYXYGDWRBH2PDBOZZKOD7VY4/ https://github.com/symfony/symfony/commit/2a581d22cc621b33d5464ed65c4bc2057f72f011 https://lists.debian.org/debian-lts-announce/2023/07/msg00014.html Common Vulnerability Exposure (CVE) ID: CVE-2022-24894 https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb https://github.com/symfony/symfony/security/advisories/GHSA-h7vf-5wrv-9fhv Common Vulnerability Exposure (CVE) ID: CVE-2022-24895 https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2022-24895.yaml https://github.com/symfony/security-bundle/commit/076fd2088ada33d760758d98ff07ddedbf567946 https://github.com/symfony/symfony/commit/5909d74ecee359ea4982fcf4331aaf2e489a1fd4 https://github.com/symfony/symfony/security/advisories/GHSA-3gv2-29qc-v67m
Copyright	Copyright (C) 2023 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.