CVE-2017-16653

An issue was discovered in Symfony before 2.7.38, 2.8.31, 3.2.14, 3.3.13, 3.4-BETA5, and 4.0-BETA5. The current implementation of CSRF protection in Symfony (Version >=2) does not use different tokens for HTTP and HTTPS; therefore the token is subject to MITM attacks on HTTP and can then be used in an HTTPS context to do CSRF attacks.

Published: Aug 6, 2018
Updated: Apr 13, 2023
CVE: CVE-2017-16653
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
sensiolabs / symfony	2.7.0	2.7.37.x
sensiolabs / symfony	3.2.0	3.2.13.x
sensiolabs / symfony	3.3.0	3.3.12.x
sensiolabs / symfony	3.8.0	3.8.30.x
debian / debian_linux	9.0	9.0.x

https://github.com/symfony/symfony/pull/24992
https://symfony.com/blog/cve-2017-16653-csrf-protection-does-not-use-different-tokens-for-http-and-https
https://www.debian.org/security/2018/dsa-4262

Vulnerability Database

289,697

CVE-2017-16653