CVE-2024-51996

State: PUBLISHED · Published: 2024-11-13 · Updated: 2024-11-13 · Assigner: GitHub_M

Description

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.

CWE

CWE-287 — CWE-287: Improper Authentication
CWE-289 — CWE-289: Authentication Bypass by Alternate Name

Affected

symfony / symfony — v=>= 5.3.0, < 5.4.47 [affected]; v=>= 6.0.0-BETA1, < 6.4.15 [affected]; v=>= 7.0.0-BETA1, < 7.1.8 [affected]

CVSS

3.1 score=7.5 severity=HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr x_refsource_CONFIRM
https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a x_refsource_MISC

Source

cvelistV5-main/cves/2024/51xxx/CVE-2024-51996.json