oro/platform 5.0.9 vulnerable to CVE-2022-24894 and CVE-2022-24894.

ndeg commented 1 year ago

Summary
The latest version of oto/platform is vulnerable to CVE-2022-24894 and CVE-2022-24895.

https://symfony.com/blog/cve-2022-24894-prevent-storing-cookie-headers-in-httpcache https://symfony.com/blog/cve-2022-24895-csrf-token-fixation

These vulnerabilities has been fixed in v5.4.20 of package symfony/security-bundle

Steps to reproduce

 git clone https://github.com/oroinc/platform.git
 cd platform
 git checkout 5.0.9
 composer install --ignore-platform-reqs
 composer audit

Actual Result

 Found 2 security vulnerability advisories affecting 2 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/http-kernel                                                              |
| CVE               | CVE-2022-24894                                                                   |
| Title             | CVE-2022-24894: Prevent storing cookie headers in HttpCache                      |
| URL               | https://symfony.com/cve-2022-24894                                               |
| Affected versions | >=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5 |
|                   | .0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3 |
|                   | .2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0| |
|                   | >=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5. |
|                   | 2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2. |
|                   | 0,<6.2.6                                                                         |
| Reported at       | 2023-02-01T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | symfony/security-bundle                                                          |
| CVE               | CVE-2022-24895                                                                   |
| Title             | CVE-2022-24895: Possible CSRF token fixation                                     |
| URL               | https://symfony.com/cve-2022-24895                                               |
| Affected versions | >=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0 |
|                   | .0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4 |
|                   | .1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.42|>=5.0.0,<5.1.0 |
|                   | |>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>= |
|                   | 6.1.0,<6.1.12|>=6.2.0,<6.2.6                                                     |
| Reported at       | 2023-02-01T08:00:00+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Expected Result

No vulnerabilities found.

Details about your environment

OroPlatform version: 5.0.9
PHP version: v7.4.3 (packages installed with --ignore-platform-reqs option)
Database (MySQL, PostgreSQL) version : Not applicable

ndeg commented 9 months ago

I guess that vulnerability had been fixed on v5.0.11 thanks to this commit.

https://github.com/oroinc/platform/commit/f1bab170e3d5aeebea2d41418d6ea86b7ac9b20b#diff-d2ab9925cad7eac58e0ff4cc0d251a937ecf49e4b6bf57f8b95aab76648a9d34

ndeg commented 9 months ago

So all is ok.

oroinc / platform

oro/platform 5.0.9 vulnerable to CVE-2022-24894 and CVE-2022-24894. #1095