Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
History

Wed, 13 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Symphony Php Framework
Symphony Php Framework symphony Process
CPEs cpe:2.3:a:symphony_php_framework:symphony_process:*:*:*:*:*:*:*:*
Vendors & Products Symphony Php Framework
Symphony Php Framework symphony Process
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 13 Nov 2024 16:30:00 +0000

Type Values Removed Values Added
Description Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.
Title Symphony has an Authentication Bypass via RememberMe
Weaknesses CWE-287
CWE-289
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-13T16:18:49.473Z

Updated: 2024-11-13T18:49:31.776Z

Reserved: 2024-11-04T17:46:16.776Z

Link: CVE-2024-51996

cve-icon Vulnrichment

Updated: 2024-11-13T18:48:56.818Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-13T17:15:11.870

Modified: 2024-11-15T14:00:09.720

Link: CVE-2024-51996

cve-icon Redhat

No data.