CVE-2024-51996 – symfony/security-http

Package

Manager: composer
Name: symfony/security-http
Vulnerable Version: >=5.3.0 <5.4.47 || >=6.0.0-beta1 <6.4.15 || >=7.0.0-beta1 <7.1.8

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00056 pctl0.17395

Details

Symfony has an Authentication Bypass via RememberMe ### Description When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. ### Resolution The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner. The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4. ### Credits We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

Metadata

Created: 2024-11-13T18:29:04Z
Modified: 2024-11-14T23:55:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-cg23-qf8f-62rr/GHSA-cg23-qf8f-62rr.json
CWE IDs: ["CWE-287", "CWE-289"]
Alternative ID: GHSA-cg23-qf8f-62rr
Finding: F006
Auto approve: 1