CVE-2022-24895: 
PHP vulnerability analysis and mitigation

CVE-2022-24895 affects Symfony, a PHP framework for web and console applications. The vulnerability was discovered when it was found that Symfony, by default, regenerates the session ID upon login but preserves other session attributes. This preservation of session attributes, specifically CSRF tokens, could enable same-site attackers to bypass the CSRF protection mechanism through an attack similar to session fixation. The vulnerability was reported by Marco Squarcina and was fixed in February 2023 (Symfony Advisory).

The vulnerability affects multiple versions of Symfony, including versions from 2.0.0 up to 4.4.50, 5.0.0 to 5.4.20, 6.0.0 to 6.0.20, 6.1.0 to 6.1.12, and 6.2.0 to 6.2.6. The issue received a CVSS v3.1 base score of 8.8 (HIGH) from NVD with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, while GitHub assessed it as 6.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L (NVD).

The vulnerability could allow same-site attackers to bypass the CSRF protection mechanism, potentially leading to unauthorized actions being performed on behalf of authenticated users. The preservation of CSRF tokens after login creates a condition similar to session fixation, which could be exploited by attackers to perform cross-site request forgery attacks (Debian LTS).

The issue has been fixed in Symfony versions 4.4.50, 5.4.20, 6.0.20, 6.1.12, and 6.2.6. The fix involves removing all CSRF tokens from the session on successful login. The patch was implemented by Nicolas Grekas and is available in the security updates (Symfony Advisory, Security Patch).