CVE-2024-36611 – symfony/security-http

Package

Manager: composer
Name: symfony/security-http
Vulnerable Version: <0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

EPSS: 0.00576 pctl0.6783

Details

Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.

Metadata

Created: 2024-11-29T21:31:03Z
Modified: 2024-12-03T21:36:47Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-7q22-x757-cmgc/GHSA-7q22-x757-cmgc.json
CWE IDs: ["CWE-287", "CWE-863"]
Alternative ID: GHSA-7q22-x757-cmgc
Finding: N/A
Auto approve: 0