CWE
352
Advisory Published

USN-7272-1: Symfony vulnerabilities

First published: Tue Feb 18 2025(Updated: )

Soner Sayakci discovered that Symfony incorrectly handled cookie storage in the web cache. An attacker could possibly use this issue to obtain sensitive information and access unauthorized resources. (CVE-2022-24894) Marco Squarcina discovered that Symfony incorrectly handled the storage of user session information. An attacker could possibly use this issue to perform a cross-site request forgery (CSRF) attack. (CVE-2022-24895) Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An attacker could possibly use this issue to perform cross site scripting. (CVE-2023-46734) Vladimir Dusheyko discovered that Symfony incorrectly sanitized special input with a PHP directive in URL query strings. An attacker could possibly use this issue to expose sensitive information or cause a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50340) Oleg Andreyev, Antoine Makdessi, and Moritz Rauch discovered that Symfony incorrectly handled user authentication. An attacker could possibly use this issue to access unauthorized resources and expose sensitive information. This issue was only addressed in Ubuntu 24.04 LTS. (CVE-2024-50341, CVE-2024-51996) Linus Karlsson and Chris Smith discovered that Symfony returned internal host information during host resolution. An attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50342) It was discovered that Symfony incorrectly parsed user input through regular expressions. An attacker could possibly use this issue to expose sensitive information. (CVE-2024-50343) Sam Mush discovered that Symfony incorrectly parsed URIs with special characters. An attacker could possibly use this issue to perform phishing attacks. (CVE-2024-50345)

Affected SoftwareAffected VersionHow to fix
All of
ubuntu/php-symfony<6.4.5+dfsg-3ubuntu3+esm1
6.4.5+dfsg-3ubuntu3+esm1
Ubuntu=24.04
All of
ubuntu/php-symfony<5.4.4+dfsg-1ubuntu8+esm1
5.4.4+dfsg-1ubuntu8+esm1
Ubuntu=22.04
All of
ubuntu/php-symfony<4.3.8+dfsg-1ubuntu1+esm2
4.3.8+dfsg-1ubuntu1+esm2
Ubuntu=20.04

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Child vulnerabilities

(Contains the following vulnerabilities)

Frequently Asked Questions

  • What is the severity of USN-7272-1?

    The severity of USN-7272-1 is high, as it allows attackers to potentially access sensitive information.

  • How do I fix USN-7272-1?

    To fix USN-7272-1, you should upgrade to the recommended package versions specified for your Ubuntu release.

  • What vulnerabilities are addressed in USN-7272-1?

    USN-7272-1 addresses multiple vulnerabilities, including CVE-2022-24894 and CVE-2022-24895.

  • Which Ubuntu versions are affected by USN-7272-1?

    USN-7272-1 affects Ubuntu versions 20.04, 22.04, and 24.04.

  • Who discovered the vulnerabilities in USN-7272-1?

    The vulnerabilities in USN-7272-1 were discovered by researchers Soner Sayakci and Marco Squarcina.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203