CVE-2024-50341

symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to  unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
GitHub_MCNA
3.1 LOW
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 13%
Debian logo
Debian Releases
Debian Product
Codename
symfony
bullseye
4.4.19+dfsg-2+deb11u6
not-affected
bookworm
5.4.23+dfsg-1+deb12u4
not-affected
bookworm (security)
5.4.23+dfsg-1+deb12u4
fixed
sid
6.4.21+dfsg-2
fixed
trixie
6.4.21+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
symfony
plucky
not-affected
oracular
not-affected
noble
Fixed 6.4.5+dfsg-3ubuntu3+esm1
released
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105
https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v