Allele Security Alert
ASA-2019-00226
Identifier(s)
ASA-2019-00226, CVE-2019-10911
Title
Add a separator in the remember me cookie hash
Vendor(s)
Sensio Labs
Product(s)
Symfony
Affected version(s)
Symfony 2.7.0 to 2.7.50
Symfony 2.8.0 to 2.8.49
Symfony 3.4.0 to 3.4.25
Symfony 4.1.0 to 4.1.11
Symfony 4.2.0 to 4.2.6
Fixed version(s)
Symfony 2.7.51
Symfony 2.8.50
Symfony 3.4.26
Symfony 4.2.7
Proof of concept
Unknown
Description
This fixes situations where part of an expiry time in a cookie could be considered part of the username, or part of the username could be considered part of the expiry time. An attacker could modify the remember me cookie and authenticate as a different user. This attack is only possible if remember me functionality is enabled and the two users share a password hash or the password hashes (e.g. UserInterface::getPassword()) are null for all users (which is valid if passwords are checked by an external system, e.g. an SSO).
Technical details
Unknown
Credits
Jon Cave
Reference(s)
CVE-2019-10911: Add a separator in the remember me cookie hash
https://symfony.com/blog/cve-2019-10911-add-a-separator-in-the-remember-me-cookie-hash
Drupal core – Moderately critical – Multiple Vulnerabilities – SA-CORE-2019-005
https://www.drupal.org/sa-core-2019-005
CVE-2019-10911
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10911
CVE-2019-10911
https://nvd.nist.gov/vuln/detail/CVE-2019-10911
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: April 27, 2019