Candidate: CVE-2021-41268
PublicDate: 2021-11-24 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41268
 https://github.com/symfony/symfony/security/advisories/GHSA-qw36-p97w-vcqr
 https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc (v5.3.12)
 https://github.com/symfony/symfony/releases/tag/v5.3.12
 https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
 https://github.com/symfony/symfony/pull/44243
Description:
 Symfony/SecurityBundle is the security system for Symfony, a PHP framework
 for web and console applications and a set of reusable PHP components.
 Since the rework of the Remember me cookie in version 5.3.0, the cookie is
 not invalidated when the user changes their password. Attackers can
 therefore maintain their access to the account even if the password is
 changed as long as they have had the chance to login once and get a valid
 remember me cookie. Starting with version 5.3.12, Symfony makes the
 password part of the signature by default. In that way, when the password
 changes, then the cookie is not valid anymore.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [8.8 HIGH]


Patches_symfony:
 upstream: https://github.com/symfony/symfony/commit/36a808b857cd3240244f4b224452fb1e70dc6dfc
upstream_symfony: not-affected (debian: Vulnerable code never in released version in unstable)
trusty_symfony: ignored (out of standard support)
xenial_symfony: ignored (out of standard support)
bionic_symfony: not-affected (code not present)
focal_symfony: not-affected (code not present)
hirsute_symfony: ignored (reached end-of-life)
impish_symfony: not-affected (code not present)
jammy_symfony: not-affected (code not present)
devel_symfony: not-affected (code not present)