CVE-2024-51996

EUVD-2024-3234
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Debian logo
Debian Releases
Debian Product
Codename
symfony
bookworm
5.4.23+dfsg-1+deb12u4
fixed
bookworm (security)
5.4.23+dfsg-1+deb12u4
fixed
bullseye
4.4.19+dfsg-2+deb11u6
not-affected
bullseye (security)
4.4.19+dfsg-2+deb11u7
fixed
forky
7.4.2+dfsg-2
fixed
sid
7.4.3+dfsg-1
fixed
trixie
6.4.21+dfsg-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
symfony
bionic
not-affected
focal
not-affected
jammy
needs-triage
noble
Fixed 6.4.5+dfsg-3ubuntu3+esm1
released
oracular
ignored
plucky
needs-triage
questing
needs-triage
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a
https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr