High severityNVD Advisory· Published Jun 13, 2018· Updated Aug 5, 2024
CVE-2018-11385
CVE-2018-11385
Description
An issue was discovered in the Security component in Symfony 2.7.x before 2.7.48, 2.8.x before 2.8.41, 3.3.x before 3.3.17, 3.4.x before 3.4.11, and 4.0.x before 4.0.11. A session fixation vulnerability within the "Guard" login feature may allow an attacker to impersonate a victim towards the web application if the session id value was previously known to the attacker.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A session fixation vulnerability in Symfony's Guard authentication allows an attacker to impersonate a victim if the session ID is known.
Vulnerability
A session fixation vulnerability exists in Symfony's Security component when using the "Guard" login feature. Affected versions include Symfony 2.7.0 to 2.7.47, 2.8.0 to 2.8.40, 3.3.0 to 3.3.16, 3.4.0 to 3.4.10, and 4.0.0 to 4.0.10 [1][3][4]. The vulnerability allows an attacker to impersonate a victim if the session ID is previously known or set by the attacker.
Exploitation
The attacker must have access to the victim's session ID (PHPSESSID) or be able to set a new one in the victim's browser. The web application must use Symfony's Guard authentication. Upon the victim logging in, the session ID is not regenerated, allowing the attacker to reuse the same session ID to access the application with the victim's privileges [3][4].
Impact
Successful exploitation allows the attacker to impersonate the victim and gain the victim's permissions within the Symfony web application. This could lead to unauthorized access to sensitive data or actions. The risk is considered low due to the prerequisites [3][4].
Mitigation
The vulnerability is fixed in Symfony versions 2.7.48, 2.8.41, 3.3.17, 3.4.11, and 4.0.11 [1][3][4]. Users of affected versions should upgrade immediately. For unmaintained branches (3.0, 3.1, 3.2), no fix is available and upgrading to a supported version is recommended [3][4]. The fix ensures the session is migrated after successful login via Guard and other authentication listeners [2].
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
symfony/symfonyPackagist | >= 2.7.0, < 2.7.48 | 2.7.48 |
symfony/symfonyPackagist | >= 2.8.0, < 2.8.41 | 2.8.41 |
symfony/symfonyPackagist | >= 3.0.0, < 3.3.17 | 3.3.17 |
symfony/symfonyPackagist | >= 3.4.0, < 3.4.11 | 3.4.11 |
symfony/symfonyPackagist | >= 4.0.0, < 4.0.11 | 4.0.11 |
symfony/security-httpPackagist | >= 2.7.0, < 2.7.48 | 2.7.48 |
symfony/security-httpPackagist | >= 2.8.0, < 2.8.41 | 2.8.41 |
symfony/security-httpPackagist | >= 3.0.0, < 3.3.17 | 3.3.17 |
symfony/security-httpPackagist | >= 3.4.0, < 3.4.11 | 3.4.11 |
symfony/security-httpPackagist | >= 4.0.0, < 4.0.11 | 4.0.11 |
symfony/securityPackagist | >= 2.7.0, < 2.7.48 | 2.7.48 |
symfony/securityPackagist | >= 2.8.0, < 2.8.41 | 2.8.41 |
symfony/securityPackagist | >= 3.0.0, < 3.3.17 | 3.3.17 |
symfony/securityPackagist | >= 3.4.0, < 3.4.11 | 3.4.11 |
symfony/securityPackagist | >= 4.0.0, < 4.0.11 | 4.0.11 |
Affected products
3- ghsa-coords3 versions
>= 2.7.0, < 2.7.48+ 2 more
- (no CPE)range: >= 2.7.0, < 2.7.48
- (no CPE)range: >= 2.7.0, < 2.7.48
- (no CPE)range: >= 2.7.0, < 2.7.48
Patches
3194caff28b56security #cve-2018-11385 migrating session for UsernamePasswordJsonAuthenticationListener
1 file changed · +13 −0
src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php+13 −0 modified@@ -139,6 +139,8 @@ private function onSuccess(Request $request, TokenInterface $token) $this->logger->info('User has been authenticated successfully.', array('username' => $token->getUsername())); } + $this->migrateSession($request); + $this->tokenStorage->setToken($token); if (null !== $this->eventDispatcher) { @@ -182,4 +184,15 @@ private function onFailure(Request $request, AuthenticationException $failed) return $response; } + + private function migrateSession(Request $request) + { + if (!$request->hasSession() || !$request->hasPreviousSession()) { + return; + } + // Destroying the old session is broken in php 5.4.0 - 5.4.10 + // See https://bugs.php.net/63379 + $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411; + $request->getSession()->migrate($destroy); + } }
fad1e1f2ea33security #cve-2018-11385 Adding session authentication strategy to Guard to avoid session fixation
1 file changed · +13 −0
src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php+13 −0 modified@@ -46,6 +46,7 @@ public function __construct(TokenStorageInterface $tokenStorage, EventDispatcher */ public function authenticateWithToken(TokenInterface $token, Request $request) { + $this->migrateSession($request); $this->tokenStorage->setToken($token); if (null !== $this->dispatcher) { @@ -127,4 +128,16 @@ public function handleAuthenticationFailure(AuthenticationException $authenticat is_object($response) ? get_class($response) : gettype($response) )); } + + private function migrateSession(Request $request) + { + if (!$request->hasSession() || !$request->hasPreviousSession()) { + return; + } + + // Destroying the old session is broken in php 5.4.0 - 5.4.10 + // See https://bugs.php.net/63379 + $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411; + $request->getSession()->migrate($destroy); + } }
fa5bf4b17d45security #cve-2018-11385 Adding session strategy to ALL listeners to avoid *any* possible fixation
6 files changed · +67 −3
src/Symfony/Component/Security/Http/Firewall/AbstractPreAuthenticatedListener.php+15 −0 modified@@ -82,6 +82,9 @@ final public function handle(GetResponseEvent $event) if (null !== $this->logger) { $this->logger->info('Pre-authentication successful.', array('token' => (string) $token)); } + + $this->migrateSession($request); + $this->tokenStorage->setToken($token); if (null !== $this->dispatcher) { @@ -114,4 +117,16 @@ private function clearToken(AuthenticationException $exception) * @return array An array composed of the user and the credentials */ abstract protected function getPreAuthenticatedData(Request $request); + + private function migrateSession(Request $request) + { + if (!$request->hasSession() || !$request->hasPreviousSession()) { + return; + } + + // Destroying the old session is broken in php 5.4.0 - 5.4.10 + // See https://bugs.php.net/63379 + $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411; + $request->getSession()->migrate($destroy); + } }
src/Symfony/Component/Security/Http/Firewall/BasicAuthenticationListener.php+16 −0 modified@@ -11,6 +11,7 @@ namespace Symfony\Component\Security\Http\Firewall; +use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface; @@ -70,6 +71,9 @@ public function handle(GetResponseEvent $event) try { $token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey)); + + $this->migrateSession($request); + $this->tokenStorage->setToken($token); } catch (AuthenticationException $e) { $token = $this->tokenStorage->getToken(); @@ -88,4 +92,16 @@ public function handle(GetResponseEvent $event) $event->setResponse($this->authenticationEntryPoint->start($request, $e)); } } + + private function migrateSession(Request $request) + { + if (!$request->hasSession() || !$request->hasPreviousSession()) { + return; + } + + // Destroying the old session is broken in php 5.4.0 - 5.4.10 + // See https://bugs.php.net/63379 + $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411; + $request->getSession()->migrate($destroy); + } }
src/Symfony/Component/Security/Http/Firewall/DigestAuthenticationListener.php+14 −0 modified@@ -118,6 +118,8 @@ public function handle(GetResponseEvent $event) $this->logger->info('Digest authentication successful.', array('username' => $digestAuth->getUsername(), 'received' => $digestAuth->getResponse())); } + $this->migrateSession($request); + $this->tokenStorage->setToken(new UsernamePasswordToken($user, $user->getPassword(), $this->providerKey)); } @@ -134,6 +136,18 @@ private function fail(GetResponseEvent $event, Request $request, AuthenticationE $event->setResponse($this->authenticationEntryPoint->start($request, $authException)); } + + private function migrateSession(Request $request) + { + if (!$request->hasSession() || !$request->hasPreviousSession()) { + return; + } + + // Destroying the old session is broken in php 5.4.0 - 5.4.10 + // See https://bugs.php.net/63379 + $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411; + $request->getSession()->migrate($destroy); + } } class DigestData
src/Symfony/Component/Security/Http/Firewall/SimplePreAuthenticationListener.php+16 −0 modified@@ -11,6 +11,7 @@ namespace Symfony\Component\Security\Http\Firewall; +use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface; use Psr\Log\LoggerInterface; use Symfony\Component\HttpKernel\Event\GetResponseEvent; @@ -85,6 +86,9 @@ public function handle(GetResponseEvent $event) } $token = $this->authenticationManager->authenticate($token); + + $this->migrateSession($request); + $this->tokenStorage->setToken($token); if (null !== $this->dispatcher) { @@ -119,4 +123,16 @@ public function handle(GetResponseEvent $event) } } } + + private function migrateSession(Request $request) + { + if (!$request->hasSession() || !$request->hasPreviousSession()) { + return; + } + + // Destroying the old session is broken in php 5.4.0 - 5.4.10 + // See https://bugs.php.net/63379 + $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411; + $request->getSession()->migrate($destroy); + } }
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategyInterface.php+2 −2 modified@@ -27,8 +27,8 @@ interface SessionAuthenticationStrategyInterface /** * This performs any necessary changes to the session. * - * This method is called before the TokenStorage is populated with a - * Token, and only by classes inheriting from AbstractAuthenticationListener. + * This method should be called before the TokenStorage is populated with a + * Token. It should be used by authentication listeners when a session is used. */ public function onAuthentication(Request $request, TokenInterface $token); }
src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php+4 −1 modified@@ -47,8 +47,11 @@ public function onAuthentication(Request $request, TokenInterface $token) return; case self::MIGRATE: + // Note: this logic is duplicated in several authentication listeners + // until Symfony 5.0 due to a security fix with BC compat + // Destroying the old session is broken in php 5.4.0 - 5.4.10 - // See php bug #63379 + // See https://bugs.php.net/63379 $destroy = \PHP_VERSION_ID < 50400 || \PHP_VERSION_ID >= 50411; $request->getSession()->migrate($destroy);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
18- github.com/advisories/GHSA-g4rg-rw65-8hfgghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJV/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBW/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WH/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2018-11385ghsaADVISORY
- www.debian.org/security/2018/dsa-4262ghsavendor-advisoryx_refsource_DEBIANWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2018-11385.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security/CVE-2018-11385.yamlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2018-11385.yamlghsaWEB
- github.com/symfony/symfony/commit/194caff28b56707ea98e746c6582c06acbb9bc3fghsaWEB
- github.com/symfony/symfony/commit/fa5bf4b17d45ee32f41bd1a9abc3fb6c134ec89bghsaWEB
- github.com/symfony/symfony/commit/fad1e1f2ea336e85c889feece9d0e23fbfcf777dghsaWEB
- lists.debian.org/debian-lts-announce/2019/03/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G4XNBMFW33H47O5TZGA7JYCVLDBCXAJVghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBQK7JDXIELADIPGZIOUCZKMAJM5LSBWghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WU5N2TZFNGXDGMXMPP7LZCWTFLENF6WHghsaWEB
- symfony.com/blog/cve-2018-11385-session-fixation-issue-for-guard-authenticationghsax_refsource_CONFIRMWEB
- symfony.com/cve-2018-11385ghsaWEB
News mentions
0No linked articles in our index yet.