Base Score

MEDIUM5.9

CVE-2017-16653

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

VectorNETWORK

Published Bycve@mitre.org

Published DateAug 06, 2018, 21:29

Affected Versions(12)

symfony/security-csrf(Packagist)

Introduced2.7.0

Fixed2.7.38

LimitN/A

symfony/security-csrf(Packagist)

Introduced2.8.0

Fixed2.8.31

LimitN/A

symfony/security-csrf(Packagist)

Introduced3.0.0

Fixed3.2.14

LimitN/A

symfony/security-csrf(Packagist)

Introduced3.3.0

Fixed3.3.13

LimitN/A

symfony/security(Packagist)

Introduced2.7.0

Fixed2.7.38

LimitN/A

symfony/security(Packagist)

Introduced2.8.0

Fixed2.8.31

LimitN/A

symfony/security(Packagist)

Introduced3.0.0

Fixed3.2.14

LimitN/A

symfony/security(Packagist)

Introduced3.3.0

Fixed3.3.13

LimitN/A

symfony/symfony(Packagist)

Introduced2.7.0

Fixed2.7.38

LimitN/A

symfony/symfony(Packagist)

Introduced2.8.0

Fixed2.8.31

LimitN/A

symfony/symfony(Packagist)

Introduced3.0.0

Fixed3.2.14

LimitN/A

symfony/symfony(Packagist)

Introduced3.3.0

Fixed3.3.13

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
symfony/security-csrf(Packagist)	2.7.0	2.7.38	N/A
symfony/security-csrf(Packagist)	2.8.0	2.8.31	N/A
symfony/security-csrf(Packagist)	3.0.0	3.2.14	N/A
symfony/security-csrf(Packagist)	3.3.0	3.3.13	N/A
symfony/security(Packagist)	2.7.0	2.7.38	N/A
symfony/security(Packagist)	2.8.0	2.8.31	N/A
symfony/security(Packagist)	3.0.0	3.2.14	N/A
symfony/security(Packagist)	3.3.0	3.3.13	N/A
symfony/symfony(Packagist)	2.7.0	2.7.38	N/A
symfony/symfony(Packagist)	2.8.0	2.8.31	N/A
symfony/symfony(Packagist)	3.0.0	3.2.14	N/A
symfony/symfony(Packagist)	3.3.0	3.3.13	N/A

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

5.9

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

References

Base Score

MEDIUM5.9

Weakness Type (CWE):NVD-CWE-noinfo

CVSS Metrics

Base Score

5.9

Vector String

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Base Severity

MEDIUM

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

NONE

Availability (A)

NONE

CVE-2017-16653

VectorNETWORK

Published Bycve@mitre.org

Published DateAug 06, 2018, 21:29

Package (Ecosystem)

Introduced

Fixed

Limit

symfony/security-csrf(Packagist)

2.7.0

2.7.38

N/A

symfony/security-csrf(Packagist)

2.8.0

2.8.31

N/A

symfony/security-csrf(Packagist)

3.0.0

3.2.14

N/A

symfony/security-csrf(Packagist)

3.3.0

3.3.13

N/A

symfony/security(Packagist)

2.7.0

2.7.38

N/A

symfony/security(Packagist)

2.8.0

2.8.31

N/A

symfony/security(Packagist)

3.0.0

3.2.14

N/A

symfony/security(Packagist)

3.3.0

3.3.13

N/A

symfony/symfony(Packagist)

2.7.0

2.7.38

N/A

symfony/symfony(Packagist)

2.8.0

2.8.31

N/A

symfony/symfony(Packagist)

3.0.0

3.2.14

N/A

symfony/symfony(Packagist)

3.3.0

3.3.13

N/A