cbcvebase.
CVE-2024-50340
published 2024-11-06

CVE-2024-50340: symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php…

PriorityP270high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
EXPLOIT
EPSS
63.42%
99.1th percentile
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

24 ranges
VendorProductVersion rangeFixed in
debiansymfony< symfony 5.4.23+dfsg-1+deb12u3 (bookworm)symfony 5.4.23+dfsg-1+deb12u3 (bookworm)
symfonyruntime>= 5.3.0 < 5.4.465.4.46
symfonyruntime>= 5.4.46 < 5.4.525.4.52
symfonyruntime>= 6.0.0 < 6.4.146.4.14
symfonyruntime>= 6.4.14 < 6.4.406.4.40
symfonyruntime>= 7.0.0 < 7.1.77.1.7
symfonyruntime>= 7.1.7 < 7.4.127.4.12
symfonyruntime>= 8.0.0 < 8.0.128.0.12
symfonysymfony< 5.4.465.4.46
symfonysymfony
symfonysymfony
symfonysymfony>= 0 < 5.4.23+dfsg-1+deb12u35.4.23+dfsg-1+deb12u3
symfonysymfony>= 0 < 6.4.14+dfsg-16.4.14+dfsg-1
symfonysymfony>= 0 < 6.4.14+dfsg-16.4.14+dfsg-1
symfonysymfony>= 0 < 4.3.8+dfsg-1ubuntu1+esm24.3.8+dfsg-1ubuntu1+esm2
symfonysymfony>= 0 < 5.4.4+dfsg-1ubuntu8+esm15.4.4+dfsg-1ubuntu8+esm1
symfonysymfony>= 0 < 6.4.5+dfsg-3ubuntu3+esm16.4.5+dfsg-3ubuntu3+esm1
symfonysymfony>= 5.3.0 < 5.4.465.4.46
symfonysymfony>= 5.4.46 < 5.4.525.4.52
symfonysymfony>= 6.0.0 < 6.4.146.4.14
symfonysymfony>= 6.4.14 < 6.4.406.4.40
symfonysymfony>= 7.0.0 < 7.1.77.1.7
symfonysymfony>= 7.1.7 < 7.4.127.4.12
symfonysymfony>= 8.0.0 < 8.0.128.0.12

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/_profiler/phpinfo?+--env=dev
path/_profiler/phpinfo
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340)"; flow:established,to_server; http.uri; content:"|3d|dev"; nocase; pcre:"/[\x3f\x26]\x2b\x2d{1,2}e(?:nv)?\x3ddev/i"; reference:url,github.com/Nyamort/CVE-2024-50340; reference:cve,2024-50340; classtype:web-application-attack; sid:2057414; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2024_11_13, cve CVE_2024_50340, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2024_11_13, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit query string pattern: a `+--env=dev` or `+--e=dev` argument injected into any URL query string (after `?` or `&`) triggers environment manipulation. Match URI for the PCRE pattern `/[\x3f\x26]\x2b\x2d{1,2}e(?:nv)?\x3ddev/i`.
  • Probe for active exploitation by checking for HTTP 200 response to `/_profiler/phpinfo?+--env=dev` with body containing both 'PHP Extension' and 'PHP Version' — indicates the profiler is exposed in dev mode.
  • Initial fingerprinting: detect Symfony applications via response body containing 'symfony' (case-insensitive) or a `Set-Cookie: symfony` response header before probing the profiler endpoint.
  • The URI content indicator for the Snort/ET rule is the literal byte sequence `=dev` (`|3d|dev`) within the URI, combined with the injected argument prefix pattern.
  • ·Vulnerability is only exploitable when the `register_argv_argc` PHP directive is set to `on`. Installations with this directive disabled are not affected.
  • ·The fix (ignoring `argv` values for non-SAPI PHP runtimes) is present in versions 5.4.46, 6.4.14, and 7.1.7. Debian-specific fixed versions are 5.4.23+dfsg-1+deb12u3 (bookworm) and 6.4.14+dfsg-1 (forky/sid/trixie).

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
ghsa7.3HIGH
osv8.8HIGH
vendor_debian7.3HIGH
vendor_ubuntu5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.