USN-7272-1: Symfony vulnerabilities

18 February 2025

Several security issues were fixed in Symfony.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • symfony - set of reusable components and framework for web projects

Details

Soner Sayakci discovered that Symfony incorrectly handled cookie storage in
the web cache. An attacker could possibly use this issue to obtain
sensitive information and access unauthorized resources. (CVE-2022-24894)

Marco Squarcina discovered that Symfony incorrectly handled the storage of
user session information. An attacker could possibly use this issue to
perform a cross-site request forgery (CSRF) attack. (CVE-2022-24895)

Pierre Rudloff discovered that Symfony incorrectly checked HTML input. An
attacker could possibly use this issue to perform cross site scripting.
(CVE-2023-46734)

Vladimir Dusheyko discovered that Symfony incorrectly sanitized special
input with a PHP directive in URL query strings. An attacker could possibly
use this issue to expose sensitive information or cause a denial of
service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 22.04 LTS.
(CVE-2024-50340)

Oleg Andreyev, Antoine Makdessi, and Moritz Rauch discovered that Symfony
incorrectly handled user authentication. An attacker could possibly use
this issue to access unauthorized resources and expose sensitive
information. This issue was only addressed in Ubuntu 24.04 LTS.
(CVE-2024-50341, CVE-2024-51996)

Linus Karlsson and Chris Smith discovered that Symfony returned internal
host information during host resolution. An attacker could possibly use
this issue to obtain sensitive information. This issue only affected Ubuntu
24.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-50342)

It was discovered that Symfony incorrectly parsed user input through
regular expressions. An attacker could possibly use this issue to expose
sensitive information. (CVE-2024-50343)

Sam Mush discovered that Symfony incorrectly parsed URIs with special
characters. An attacker could possibly use this issue to perform phishing
attacks. (CVE-2024-50345)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.04
Ubuntu 22.04
Ubuntu 20.04

In general, a standard system update will make all the necessary changes.

References

Join the discussion

Need help with your security needs?

Ubuntu Pro provides up to ten-year security coverage for over 23,000 open-source packages within the Ubuntu Main and Universe repositories.

Talk to an expert to find out what would work best for you

Further reading