CVE-2024-36611

In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service. NOTE: the Supplier has concluded that this is a false report.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
Debian logo
Debian Releases
Debian Product
Codename
symfony
bullseye
unimportant
bullseye (security)
unimportant
bookworm
unimportant
bookworm (security)
unimportant
trixie
unimportant
sid
unimportant
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
symfony
oracular
ignored
noble
ignored
jammy
ignored
focal
ignored
bionic
ignored
xenial
ignored
Common Weakness Enumeration
References
https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
https://github.com/github/advisory-database/pull/5046
https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018