Vulnerability Details : CVE-2017-16653
An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.
Vulnerability category: Cross-site request forgery (CSRF)
Exploit prediction scoring system (EPSS) score for CVE-2017-16653
Probability of exploitation activity in the next 30 days: 0.08%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 33 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-16653
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
References for CVE-2017-16653
-
https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https
CVE-2017-16653: CSRF protection does not use different tokens for HTTP and HTTPS (Symfony Blog)Issue Tracking;Third Party Advisory
-
https://www.debian.org/security/2018/dsa-4262
Debian -- Security Information -- DSA-4262-1 symfonyThird Party Advisory
-
https://github.com/symfony/symfony/pull/24992
Namespace generated CSRF tokens depending of the current scheme by fabpot · Pull Request #24992 · symfony/symfony · GitHubIssue Tracking;Third Party Advisory
Products affected by CVE-2017-16653
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
- cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*