CVE-2024-51996 — Improper Authentication in Security-http

CWE-287 — Improper Authentication CWE-289 — Authentication Bypass by Alternate Name7 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 74.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Symfony Symfony Security-http

Timeline

PublishedNov 13

Latest updateFeb 18

Description

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶Packagistsymfony/security-http5.3.0 — 5.4.47+2

▶Debiansymfony/symfony< 5.4.23+dfsg-1+deb12u4+2

▶CVEListV5symfony/symfony>= 5.3.0, < 5.4.47, >= 6.0.0-BETA1, < 6.4.15, >= 7.0.0-BETA1, < 7.1.8+2

🔴Vulnerability Details

OSV

CVE-2024-51996: Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes↗2024-11-13

▶

CVEList

Symphony has an Authentication Bypass via RememberMe↗2024-11-13

▶

GHSA

Symfony has an Authentication Bypass via RememberMe↗2024-11-13

▶

OSV

Symfony has an Authentication Bypass via RememberMe↗2024-11-13

▶

📋Vendor Advisories

Ubuntu

Symfony vulnerabilities↗2025-02-18

▶

Debian

CVE-2024-51996: symfony - Symphony process is a module for the Symphony PHP framework which executes comma...↗2024

▶