What is CVE-2018-11385?

CVE-2018-11385 is a session fixation issue in the Security component in Symfony which allows an attacker to impersonate a victim.

What is the severity of CVE-2018-11385?

CVE-2018-11385 has a severity value of 8.1 (High).

How can I fix the session fixation issue in Symfony?

To fix the session fixation issue in Symfony, you should upgrade to the latest patched version of Symfony in the affected minor versions (2.7.x, 2.8.x, 3.3.x, 3.4.x, or 4.0.x).

Where can I find more information about CVE-2018-11385?

You can find more information about CVE-2018-11385 on the Symfony website (https://symfony.com/cve-2018-11385) and the NIST NVD (https://nvd.nist.gov/vuln/detail/CVE-2018-11385).

Vulnerability/
CVE-2018-11385

high

8.1

CWE

384

25/5/2018

13/6/2018

5/8/2024

CVE-2018-11385

Q: Which versions of Symfony are affected by CVE-2018-11385?

Symfony versions 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 are affected by CVE-2018-11385.

First published: Fri May 25 2018(Updated: )

An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
composer/symfony/symfony	>=2.0.0<2.1.0>=2.1.0<2.2.0>=2.2.0<2.3.0>=2.3.0<2.4.0>=2.4.0<2.5.0>=2.5.0<2.6.0>=2.6.0<2.7.0>=2.7.0<2.7.48>=2.8.0<2.8.41>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.3.17>=3.4.0<3.4.11>=4.0.0<4.0.11
composer/symfony/security	>=2.0.0<2.1.0>=2.1.0<2.2.0>=2.2.0<2.3.0>=2.3.0<2.4.0>=2.4.0<2.5.0>=2.5.0<2.6.0>=2.6.0<2.7.0>=2.7.0<2.7.48>=2.8.0<2.8.41>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.3.17>=3.4.0<3.4.11>=4.0.0<4.0.11
composer/symfony/security-http	>=2.4.0<2.7.48>=2.5.0<2.7.48>=2.6.0<2.7.48>=2.7.0<2.7.48>=2.8.0<2.8.41>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.3.17>=3.4.0<3.4.11>=4.0.0<4.0.11
composer/symfony/security-guard	>=2.8.0<2.8.41>=3.0.0<3.1.0>=3.1.0<3.2.0>=3.2.0<3.3.0>=3.3.0<3.3.17>=3.4.0<3.4.11>=4.0.0<4.0.11
SensioLabs Symfony	>=2.7.0<2.7.48
SensioLabs Symfony	>=2.8.0<2.8.41
SensioLabs Symfony	>=3.3.0<3.3.17
SensioLabs Symfony	>=3.4.0<3.4.11
SensioLabs Symfony	>=4.0.0<4.0.11
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0
Fedoraproject Fedora	=28
debian/symfony		3.4.22+dfsg-2+deb10u1 3.4.22+dfsg-2+deb10u2 4.4.19+dfsg-2+deb11u3 5.4.23+dfsg-1 5.4.29+dfsg-1 5.4.30+dfsg-1
composer/symfony/security	>=4.0.0<4.0.11	4.0.11
composer/symfony/security	>=3.4.0<3.4.11	3.4.11
composer/symfony/security	>=3.0.0<3.3.17	3.3.17
composer/symfony/security	>=2.8.0<2.8.41	2.8.41
composer/symfony/security	>=2.7.0<2.7.48	2.7.48
composer/symfony/security-http	>=4.0.0<4.0.11	4.0.11
composer/symfony/security-http	>=3.4.0<3.4.11	3.4.11
composer/symfony/security-http	>=3.0.0<3.3.17	3.3.17
composer/symfony/security-http	>=2.8.0<2.8.41	2.8.41
composer/symfony/security-http	>=2.7.0<2.7.48	2.7.48
composer/symfony/symfony	>=3.0.0<3.3.17	3.3.17
composer/symfony/symfony	>=4.0.0<4.0.11	4.0.11
composer/symfony/symfony	>=3.4.0<3.4.11	3.4.11
composer/symfony/symfony	>=2.8.0<2.8.41	2.8.41
composer/symfony/symfony	>=2.7.0<2.7.48	2.7.48

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2018-11385?
CVE-2018-11385 is a session fixation issue in the Security component in Symfony which allows an attacker to impersonate a victim.
What is the severity of CVE-2018-11385?
CVE-2018-11385 has a severity value of 8.1 (High).
Which versions of Symfony are affected by CVE-2018-11385?
Symfony versions 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11 are affected by CVE-2018-11385.
How can I fix the session fixation issue in Symfony?
To fix the session fixation issue in Symfony, you should upgrade to the latest patched version of Symfony in the affected minor versions (2.7.x, 2.8.x, 3.3.x, 3.4.x, or 4.0.x).
Where can I find more information about CVE-2018-11385?
You can find more information about CVE-2018-11385 on the Symfony website (https://symfony.com/cve-2018-11385) and the NIST NVD (https://nvd.nist.gov/vuln/detail/CVE-2018-11385).

collector/friends-of-php
collector/nvd-index
collector/security-tracker-debian
agent/author
agent/type
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-g4rg-rw65-8hfg
alias/CVE-2018-11385
agent/software-canonical-lookup
agent/last-modified-date
agent/severity
agent/weakness
agent/description
agent/event
collector/nvd-cve
source/NVD
agent/references
collector/github-advisory
agent/softwarecombine
agent/tags
collector/mitre-cve
source/MITRE
package-manager/composer
vendor/sensiolabs
canonical/sensiolabs symfony
version/sensiolabs symfony/2.7.0
version/sensiolabs symfony/2.8.0
version/sensiolabs symfony/3.3.0
version/sensiolabs symfony/3.4.0
version/sensiolabs symfony/4.0.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/28
package-manager/debian

CVE-2018-11385

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2018-11385?

What is the severity of CVE-2018-11385?

Which versions of Symfony are affected by CVE-2018-11385?

How can I fix the session fixation issue in Symfony?

Where can I find more information about CVE-2018-11385?

Company

Resources

Contact