Detections
Analytics

Debian dla-3493 : php-symfony - security update

high Nessus Plugin ID 178174

Language:

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3493 advisory.

 ------------------------------------------------------------------------- Debian LTS Advisory DLA-3493-1 [email protected] https://www.debian.org/lts/security/ Guilhem Moulin July 11, 2023 https://wiki.debian.org/LTS
 -------------------------------------------------------------------------

 Package : symfony Version : 3.4.22+dfsg-2+deb10u2 CVE ID : CVE-2021-21424 CVE-2022-24894 CVE-2022-24895

 Multiple security vulnerabilities were found in symfony, a PHP framework for web and console applications and a set of reusable PHP components, which could lead to information disclosure or impersonation.

 CVE-2021-21424

 James Isaac, Mathias Brodala and Laurent Minguet discovered that it was possible to enumerate users without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an existing user and authenticating a non-existing user.

 403s are now returned whether the user exists or not if a user cannot switch to a user or if the user does not exist.

 CVE-2022-24894

 Soner Sayakci discovered that when the Symfony HTTP cache system is enabled, the response header might be stored with a `Set-Cookie` header and returned to some other clients, thereby allowing an attacker to retrieve the victim's session.

 The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers.
 The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application.

 CVE-2022-24895

 Marco Squarcina discovered that CSRF tokens aren't cleared upon login, which could enable same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.

 For Debian 10 buster, these problems have been fixed in version 3.4.22+dfsg-2+deb10u2.

 We recommend that you upgrade your symfony packages.

 For the detailed security status of symfony please refer to its security tracker page at:
 https://security-tracker.debian.org/tracker/symfony

 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS Attachment:
 signature.asc Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the php-symfony packages.

See Also

https://security-tracker.debian.org/tracker/source-package/symfony

https://security-tracker.debian.org/tracker/CVE-2021-21424

https://security-tracker.debian.org/tracker/CVE-2022-24894

https://security-tracker.debian.org/tracker/CVE-2022-24895

https://packages.debian.org/source/buster/symfony

Plugin Details

Severity: High

ID: 178174

File Name: debian_DLA-3493.nasl

Version: 1.1

Type: local

Agent: unix

Published: 7/12/2023

Updated: 1/22/2025

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2021-21424

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-24895

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:php-symfony-event-dispatcher, p-cpe:/a:debian:debian_linux:php-symfony-security-http, p-cpe:/a:debian:debian_linux:php-symfony-framework-bundle, p-cpe:/a:debian:debian_linux:php-symfony-doctrine-bridge, p-cpe:/a:debian:debian_linux:php-symfony-intl, p-cpe:/a:debian:debian_linux:php-symfony-dom-crawler, p-cpe:/a:debian:debian_linux:php-symfony-browser-kit, p-cpe:/a:debian:debian_linux:php-symfony-filesystem, p-cpe:/a:debian:debian_linux:php-symfony-ldap, p-cpe:/a:debian:debian_linux:php-symfony-routing, p-cpe:/a:debian:debian_linux:php-symfony-web-profiler-bundle, p-cpe:/a:debian:debian_linux:php-symfony-http-kernel, p-cpe:/a:debian:debian_linux:php-symfony-monolog-bridge, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:php-symfony-proxy-manager-bridge, p-cpe:/a:debian:debian_linux:php-symfony-form, p-cpe:/a:debian:debian_linux:php-symfony-serializer, p-cpe:/a:debian:debian_linux:php-symfony-property-info, p-cpe:/a:debian:debian_linux:php-symfony-class-loader, p-cpe:/a:debian:debian_linux:php-symfony, p-cpe:/a:debian:debian_linux:php-symfony-web-link, p-cpe:/a:debian:debian_linux:php-symfony-debug-bundle, p-cpe:/a:debian:debian_linux:php-symfony-debug, p-cpe:/a:debian:debian_linux:php-symfony-console, p-cpe:/a:debian:debian_linux:php-symfony-translation, p-cpe:/a:debian:debian_linux:php-symfony-property-access, p-cpe:/a:debian:debian_linux:php-symfony-templating, p-cpe:/a:debian:debian_linux:php-symfony-dependency-injection, p-cpe:/a:debian:debian_linux:php-symfony-security-guard, p-cpe:/a:debian:debian_linux:php-symfony-phpunit-bridge, p-cpe:/a:debian:debian_linux:php-symfony-twig-bridge, p-cpe:/a:debian:debian_linux:php-symfony-stopwatch, p-cpe:/a:debian:debian_linux:php-symfony-web-server-bundle, p-cpe:/a:debian:debian_linux:php-symfony-lock, p-cpe:/a:debian:debian_linux:php-symfony-security-core, p-cpe:/a:debian:debian_linux:php-symfony-asset, p-cpe:/a:debian:debian_linux:php-symfony-config, p-cpe:/a:debian:debian_linux:php-symfony-options-resolver, p-cpe:/a:debian:debian_linux:php-symfony-css-selector, p-cpe:/a:debian:debian_linux:php-symfony-cache, p-cpe:/a:debian:debian_linux:php-symfony-twig-bundle, p-cpe:/a:debian:debian_linux:php-symfony-expression-language, p-cpe:/a:debian:debian_linux:php-symfony-workflow, p-cpe:/a:debian:debian_linux:php-symfony-finder, p-cpe:/a:debian:debian_linux:php-symfony-http-foundation, p-cpe:/a:debian:debian_linux:php-symfony-inflector, p-cpe:/a:debian:debian_linux:php-symfony-security-csrf, p-cpe:/a:debian:debian_linux:php-symfony-security, p-cpe:/a:debian:debian_linux:php-symfony-dotenv, p-cpe:/a:debian:debian_linux:php-symfony-process, p-cpe:/a:debian:debian_linux:php-symfony-var-dumper, p-cpe:/a:debian:debian_linux:php-symfony-yaml, p-cpe:/a:debian:debian_linux:php-symfony-security-bundle, p-cpe:/a:debian:debian_linux:php-symfony-validator

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 7/12/2023

Vulnerability Publication Date: 5/13/2021

Reference Information

CVE: CVE-2021-21424, CVE-2022-24894, CVE-2022-24895