GHSA-62f6-h68r-3jpw: 
PHP vulnerability analysis and mitigation

A session validation vulnerability was discovered in Zend Framework (GHSA-62f6-h68r-3jpw) affecting versions 2.0.0 through 2.2.9 and 2.3.0 through 2.3.4. The vulnerability was disclosed on January 14, 2015, and involves Zend\Session session validators not working as expected when set prior to the start of a session (Zend Advisory).

The vulnerability occurs when session validators are set before session start, causing the validators to write to the $_SESSION superglobal prematurely. This data is then overwritten once the session begins, resulting in validator metadata not being properly stored in the session. When subsequent requests are made, the validators have no data to compare against, which causes any validator metadata to be rebuilt from scratch and incorrectly marks the session as valid (Zend Advisory, GitHub Advisory).

An attacker could bypass session validators such as RemoteAddr or HttpUserAgent since the signature that these validators check against is not being properly stored in the session. This effectively renders the session validation mechanisms ineffective, potentially allowing unauthorized access to sessions (Zend Advisory).

The issue has been patched by ensuring that validator signatures are stored in the session immediately following the call to session_start(). Fixed versions include Zend Framework 2.2.9 and 2.3.4. Users are recommended to upgrade immediately if they are using session validators (Zend Advisory).