CVE-2024-51996

NameCVE-2024-51996
DescriptionSymphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5813-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
symfony (PTS)jessie, jessie (lts)2.3.21+dfsg-4+deb8u6vulnerable
stretch (security)2.8.7+dfsg-1.3+deb9u3vulnerable
stretch (lts), stretch2.8.7+dfsg-1.3+deb9u5vulnerable
buster (security), buster, buster (lts)3.4.22+dfsg-2+deb10u3vulnerable
bullseye4.4.19+dfsg-2+deb11u6vulnerable
bookworm5.4.23+dfsg-1+deb12u2vulnerable
bookworm (security)5.4.23+dfsg-1+deb12u4fixed
sid, trixie6.4.16+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
symfonysourcebookworm5.4.23+dfsg-1+deb12u4DSA-5813-1
symfonysource(unstable)6.4.15+dfsg-1

Notes

https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr
https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a (v5.4.47, v6.4.15, v7.1.8, v7.2.0-RC1)

Search for package or bug name: Reporting problems