中危 sensiolabs symfony 跨站请求伪造（csrf）

CVE编号

CVE-2022-23601

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-02-01

漏洞描述

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The Symfony form component provides a CSRF protection mechanism by using a random token injected in the form and using the session to store and control the token submitted by the user. When using the FrameworkBundle, this protection can be enabled or disabled with the configuration. If the configuration is not specified, by default, the mechanism is enabled as long as the session is enabled. In a recent change in the way the configuration is loaded, the default behavior has been dropped and, as a result, the CSRF protection is not enabled in form when not explicitly enabled, which makes the application sensible to CSRF attacks. This issue has been resolved in the patch versions listed and users are advised to update. There are no known workarounds for this issue.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/symfony/symfony/commit/f0ffb775febdf07e57117aabadac96fa37857f50
https://github.com/symfony/symfony/security/advisories/GHSA-vvmr-8829-6whx

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	应用	sensiolabs	symfony	*		Up to (excluding) 5.3.15
	运行在以下环境
	应用	sensiolabs	symfony	*	From (including) 5.4.0	Up to (excluding) 5.4.4
	运行在以下环境
	应用	sensiolabs	symfony	*	From (including) 6.0.0	Up to (excluding) 6.0.4
	运行在以下环境
	系统	debian_10	symfony	*		Up to (excluding) 3.4.22+dfsg-2+deb10u1
	运行在以下环境
	系统	debian_11	symfony	*		Up to (excluding) 4.4.19+dfsg-2+deb11u3
	运行在以下环境
	系统	debian_12	symfony	*		Up to (excluding) 5.4.23+dfsg-1
	运行在以下环境
	系统	debian_sid	symfony	*		Up to (excluding) 5.4.30+dfsg-1

阿里云评分 6.6

• 攻击路径 远程
• 攻击复杂度 复杂
• 权限要求 普通权限
• 影响范围 全局影响
• EXP成熟度 未验证
• 补丁情况 官方补丁
• 数据保密性 无影响
• 数据完整性 无影响
• 服务器危害 无影响
• 全网数量 N/A

CWE-ID	漏洞类型
CWE-352	跨站请求伪造（CSRF）

Exp相关链接

- avd.aliyun.com