VulnerableCode Package Details - pkg:composer/symfony/http-kernel@4.4.50

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-64bd-n2s2-9qcj	Symfony storing cookie headers in HttpCache Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. Resolution ---------- The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb) for branch 4.4. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.	CVE-2022-24894 GHSA-h7vf-5wrv-9fhv

Vulnerability

Summary

Aliases

VCID-64bd-n2s2-9qcj

Symfony storing cookie headers in HttpCache Description ----------- The Symfony HTTP cache system acts as a reverse proxy: it caches HTTP responses (including headers) and returns them to clients. In a recent `AbstractSessionListener` change, the response might now contain a `Set-Cookie` header. If the Symfony HTTP cache system is enabled, this header might be stored and returned to some other clients. An attacker can use this vulnerability to retrieve the victim's session. Resolution ---------- The `HttpStore` constructor now takes a parameter containing a list of private headers that are removed from the HTTP response headers. The default value for this parameter is `Set-Cookie`, but it can be overridden or extended by the application. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/d2f6322af9444ac5cd1ef3ac6f280dbef7f9d1fb) for branch 4.4. Credits ------- We would like to thank Soner Sayakci for reporting the issue and Nicolas Grekas for fixing it.

CVE-2022-24894
GHSA-h7vf-5wrv-9fhv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-03T16:52:44.529553+00:00	GHSA Importer	Fixing	VCID-64bd-n2s2-9qcj	https://github.com/advisories/GHSA-h7vf-5wrv-9fhv	37.0.0
2025-07-01T12:14:41.994225+00:00	GithubOSV Importer	Fixing	VCID-64bd-n2s2-9qcj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-h7vf-5wrv-9fhv/GHSA-h7vf-5wrv-9fhv.json	36.1.3

2025-07-03T16:52:44.529553+00:00

GHSA Importer

Fixing

VCID-64bd-n2s2-9qcj

https://github.com/advisories/GHSA-h7vf-5wrv-9fhv

37.0.0

2025-07-01T12:14:41.994225+00:00

GithubOSV Importer

Fixing

VCID-64bd-n2s2-9qcj

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-h7vf-5wrv-9fhv/GHSA-h7vf-5wrv-9fhv.json

36.1.3