Lucene search

nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.FEDORA_2023-AECDE14648.NASL
HistoryFeb 11, 2023 - 12:00 a.m.

Fedora 36 : php-symfony4 (2023-aecde14648)

This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
fedora 36
symfony http cache
set-cookie header
session attack
csrf tokens
nessus scanner





The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-aecde14648 advisory.

  • Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and returns them to the clients. In a recent change in the AbstractSessionListener, the response might contain a Set-Cookie header. If the Symfony HTTP cache system is enabled, this response might bill stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim’s session. This issue has been patched and is available for branch 4.4. (CVE-2022-24894)

  • Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
    This issue has been fixed in the 4.4 branch. (CVE-2022-24895)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

# (C) Tenable, Inc.
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory FEDORA-2023-aecde14648


if (description)
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/24");

  script_cve_id("CVE-2022-24894", "CVE-2022-24895");
  script_xref(name:"FEDORA", value:"2023-aecde14648");

  script_name(english:"Fedora 36 : php-symfony4 (2023-aecde14648)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Fedora host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the
FEDORA-2023-aecde14648 advisory.

  - Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The
    Symfony HTTP cache system, acts as a reverse proxy: It caches entire responses (including headers) and
    returns them to the clients. In a recent change in the `AbstractSessionListener`, the response might
    contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this response might bill
    stored and return to the next clients. An attacker can use this vulnerability to retrieve the victim's
    session. This issue has been patched and is available for branch 4.4. (CVE-2022-24894)

  - Symfony is a PHP framework for web and console applications and a set of reusable PHP components. When
    authenticating users Symfony by default regenerates the session ID upon login, but preserves the rest of
    session attributes. Because this does not clear CSRF tokens upon login, this might enables same-site
    attackers to bypass the CSRF protection mechanism by performing an attack similar to a session-fixation.
    This issue has been fixed in the 4.4 branch. (CVE-2022-24895)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
  script_set_attribute(attribute:"see_also", value:"");
  script_set_attribute(attribute:"solution", value:
"Update the affected php-symfony4 package.");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-24895");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/02/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/02/02");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/02/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:36");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-symfony4");
  script_set_attribute(attribute:"generated_plugin", value:"current");

  script_family(english:"Fedora Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");



if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Fedora' >!< os_release) audit(AUDIT_OS_NOT, 'Fedora');
var os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Fedora');
os_ver = os_ver[1];
if (! preg(pattern:"^36([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Fedora 36', 'Fedora ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Fedora', cpu);

var pkgs = [
    {'reference':'php-symfony4-4.4.50-1.fc36', 'release':'FC36', 'rpm_spec_vers_cmp':TRUE}

var flag = 0;
foreach package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (reference && _release) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;

if (flag)
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'php-symfony4');