CVE-2017-16653: CSRF vulnerability

August 6, 2018 (updated October 2, 2019)

The implementation of CSRF protection did not use different tokens for HTTP and HTTPS, therefore the token was subject to MITM attacks on HTTP and could then be used in HTTPS context to do CSRF attacks.

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16653
github.com/symfony/symfony/pull/24992

Code Behaviors & Features

Detect and mitigate CVE-2017-16653 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →