CVE-2024-51736 — Command Injection in Process

CWE-77 — Command Injection5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

0.8%

top 26.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Sensiolabs Symfony Symfony Process

Timeline

PublishedNov 6

Description

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named `cmd.exe` is located in the current working directory it will be called by the `Process` class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶Packagistsymfony/process6.0.0 — 6.4.14+2

▶CVEListV5symfony/symfony< 5.4.46+2

▶Packagistsymfony/symfony6.0.0 — 6.4.14+2

▶NVDsensiolabs/symfony6.0.0 — 6.4.14+2

🔴Vulnerability Details

CVEList

Command execution hijack on Windows with Process class in symfony/process↗2024-11-06

▶

GHSA

Symfony vulnerable to command execution hijack on Windows with Process class↗2024-11-06

▶

OSV

Symfony vulnerable to command execution hijack on Windows with Process class↗2024-11-06

▶

📋Vendor Advisories

Debian

CVE-2024-51736: symfony - Symphony process is a module for the Symphony PHP framework which executes comma...↗2024

▶