CVE-2024-51996
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-51996
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 5.4.23+dfsg-1+deb12u4 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 6.4.15+dfsg-1 |
| debian | sid | fixed | 6.4.15+dfsg-1 |
| debian | trixie | fixed | 6.4.15+dfsg-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | symfony/security-http | >=5.3.0,<5.4.47 | 5.4.47 |
| Packagist | symfony/security-http | >=6.0.0-BETA1,<6.4.15 | 6.4.15 |
| Packagist | symfony/security-http | >=7.0.0-BETA1,<7.1.8 | 7.1.8 |
References
- https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr
- https://nvd.nist.gov/vuln/detail/CVE-2024-51996
- https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2024-51996.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51996.yaml
- https://github.com/symfony/symfony
- https://symfony.com/cve-2024-51996
- https://security-tracker.debian.org/tracker/CVE-2024-51996
Verify integrity in audit chain (admin only). AS-IS.