[USN-7272-1] Symfony vulnerabilities

Hlib Korzhynskyy hlib.korzhynskyy at canonical.com
Tue Feb 18 17:27:46 UTC 2025 

==========================================================================
Ubuntu Security Notice USN-7272-1
February 18, 2025

symfony vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS

Summary:

Several security issues were fixed in Symfony.

Software Description:
- symfony: set of reusable components and framework for web projects

Details:

Soner Sayakci discovered that Symfony incorrectly handled cookie storage in
the web cache. An attacker could possibly use this issue to obtain
sensitive information and access unauthorized resources. (CVE-2022-24894)

Marco Squarcina discovered that Symfony incorrectly handled the storage of
user session information. An attacker could possibly use this issue to
perform a cross-site request forgery (CSRF) attack. (CVE-2022-24895)

Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An
attacker could possibly use this issue to perform cross site scripting.
(CVE-2023-46734)

Vladimir Dusheyko discovered that Symfony incorrectly sanitized special
input with a PHP directive in URL query strings. An attacker could possibly
use this issue to expose sensitive information or cause a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS.
(CVE-2024-50340)

Oleg Andreyev, Antoine Makdessi, and Moritz Rauch discovered that Symfony
incorrectly handled user authentication. An attacker could possibly use
this issue to access unauthorized resources and expose sensitive
information. This issue was only addressed in Ubuntu 24.04 LTS.
(CVE-2024-50341, CVE-2024-51996)

Linus Karlsson and Chris Smith discovered that Symfony returned internal
host information during host resolution. An attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50342)

It was discovered that Symfony incorrectly parsed user input through
regular expressions. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-50343)

Sam Mush discovered that Symfony incorrectly parsed URIs with special
characters. An attacker could possibly use this issue to perform phishing
attacks. (CVE-2024-50345)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
   php-symfony                     6.4.5+dfsg-3ubuntu3+esm1
                                   Available with Ubuntu Pro

Ubuntu 22.04 LTS
   php-symfony                     5.4.4+dfsg-1ubuntu8+esm1
                                   Available with Ubuntu Pro

Ubuntu 20.04 LTS
   php-symfony                     4.3.8+dfsg-1ubuntu1+esm2
                                   Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
   https://ubuntu.com/security/notices/USN-7272-1
   CVE-2022-24894, CVE-2022-24895, CVE-2023-46734, CVE-2024-50340,
   CVE-2024-50341, CVE-2024-50342, CVE-2024-50343, CVE-2024-50345,
   CVE-2024-51996
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250218/56c2a656/attachment.sig>

More information about the ubuntu-security-announce mailing list