CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
55.8%
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3493 advisory.
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. We now ensure that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user does not exist. The patch for this issue is available for branch 3.4. (CVE-2021-21424)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the AbstractSessionListener
, the response might contain a Set-Cookie
header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim’s session. This issue has been patched and is available for branch 4.4. (CVE-2022-24894)
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
This issue has been fixed in the 4.4 branch. (CVE-2022-24895)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3493. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(178174);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/12");
script_cve_id("CVE-2021-21424", "CVE-2022-24894", "CVE-2022-24895");
script_name(english:"Debian DLA-3493-1 : symfony - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3493 advisory.
- Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The
ability to enumerate users was possible without relevant permissions due to different handling depending
on whether the user existed or not when attempting to use the switch users functionality. We now ensure
that 403s are returned whether the user exists or not if a user cannot switch to a user or if the user
does not exist. The patch for this issue is available for branch 3.4. (CVE-2021-21424)
- Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The
Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and
returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might
contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill
stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's
session. This issue has been patched and is available for branch 4.4. (CVE-2022-24894)
- Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When
authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of
session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site
attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
This issue has been fixed in the 4.4 branch. (CVE-2022-24895)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/symfony");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2023/dla-3493");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-21424");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24894");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24895");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/symfony");
script_set_attribute(attribute:"solution", value:
"Upgrade the symfony packages.
For Debian 10 buster, these problems have been fixed in version 3.4.22+dfsg-2+deb10u2.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-21424");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-24895");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/13");
script_set_attribute(attribute:"patch_publication_date", value:"2023/07/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/07/12");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-asset");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-browser-kit");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-cache");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-class-loader");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-config");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-console");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-css-selector");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-debug-bundle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-dependency-injection");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-doctrine-bridge");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-dom-crawler");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-dotenv");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-event-dispatcher");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-expression-language");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-filesystem");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-finder");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-form");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-framework-bundle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-http-foundation");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-http-kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-inflector");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-intl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-ldap");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-lock");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-monolog-bridge");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-options-resolver");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-phpunit-bridge");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-process");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-property-access");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-property-info");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-proxy-manager-bridge");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-routing");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-security");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-security-bundle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-security-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-security-csrf");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-security-guard");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-security-http");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-serializer");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-stopwatch");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-templating");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-translation");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-twig-bridge");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-twig-bundle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-validator");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-var-dumper");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-web-link");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-web-profiler-bundle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-web-server-bundle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-workflow");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:php-symfony-yaml");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'php-symfony', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-asset', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-browser-kit', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-cache', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-class-loader', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-config', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-console', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-css-selector', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-debug', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-debug-bundle', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-dependency-injection', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-doctrine-bridge', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-dom-crawler', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-dotenv', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-event-dispatcher', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-expression-language', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-filesystem', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-finder', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-form', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-framework-bundle', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-http-foundation', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-http-kernel', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-inflector', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-intl', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-ldap', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-lock', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-monolog-bridge', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-options-resolver', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-phpunit-bridge', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-process', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-property-access', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-property-info', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-proxy-manager-bridge', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-routing', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-security', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-security-bundle', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-security-core', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-security-csrf', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-security-guard', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-security-http', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-serializer', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-stopwatch', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-templating', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-translation', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-twig-bridge', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-twig-bundle', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-validator', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-var-dumper', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-web-link', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-web-profiler-bundle', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-web-server-bundle', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-workflow', 'reference': '3.4.22+dfsg-2+deb10u2'},
{'release': '10.0', 'prefix': 'php-symfony-yaml', 'reference': '3.4.22+dfsg-2+deb10u2'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'php-symfony / php-symfony-asset / php-symfony-browser-kit / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | php-symfony | p-cpe:/a:debian:debian_linux:php-symfony |
debian | debian_linux | php-symfony-asset | p-cpe:/a:debian:debian_linux:php-symfony-asset |
debian | debian_linux | php-symfony-browser-kit | p-cpe:/a:debian:debian_linux:php-symfony-browser-kit |
debian | debian_linux | php-symfony-cache | p-cpe:/a:debian:debian_linux:php-symfony-cache |
debian | debian_linux | php-symfony-class-loader | p-cpe:/a:debian:debian_linux:php-symfony-class-loader |
debian | debian_linux | php-symfony-config | p-cpe:/a:debian:debian_linux:php-symfony-config |
debian | debian_linux | php-symfony-console | p-cpe:/a:debian:debian_linux:php-symfony-console |
debian | debian_linux | php-symfony-css-selector | p-cpe:/a:debian:debian_linux:php-symfony-css-selector |
debian | debian_linux | php-symfony-debug | p-cpe:/a:debian:debian_linux:php-symfony-debug |
debian | debian_linux | php-symfony-debug-bundle | p-cpe:/a:debian:debian_linux:php-symfony-debug-bundle |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21424
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24894
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24895
packages.debian.org/source/buster/symfony
security-tracker.debian.org/tracker/CVE-2021-21424
security-tracker.debian.org/tracker/CVE-2022-24894
security-tracker.debian.org/tracker/CVE-2022-24895
security-tracker.debian.org/tracker/source-package/symfony
www.debian.org/lts/security/2023/dla-3493
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
55.8%