CVE-2024-50341 — Improper Authentication in Security-bundle

CWE-287 — Improper Authentication7 documents6 sources

Severity

3.1LOWNVD

EPSS

0.1%

top 65.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Security-bundle

Timeline

PublishedNov 6

Latest updateFeb 18

Description

symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workaround…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages4 packages

▶Packagistsymfony/security-bundle6.2.0 — 6.4.10+2

▶Packagistsymfony/symfony6.2.0 — 6.4.10+2

▶Debiansymfony/symfony< 6.4.10+dfsg-1+1

▶CVEListV5symfony/symfony>= 6.2.0, < 6.4.10, >= 7.0.0, < 7.0.10, >= 7.1.0, < 7.1.3+2

🔴Vulnerability Details

CVEList

Security::login does not take into account custom user_checker in symfony/security-bundle↗2024-11-06

▶

GHSA

Symfony's `Security::login` does not take into account custom `user_checker`↗2024-11-06

▶

OSV

CVE-2024-50341: symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-↗2024-11-06

▶

OSV

Symfony's `Security::login` does not take into account custom `user_checker`↗2024-11-06

▶

📋Vendor Advisories

Ubuntu

Symfony vulnerabilities↗2025-02-18

▶

Debian

CVE-2024-50341: symfony - symfony/security-bundle is a module for the Symphony PHP framework which provide...↗2024

▶