Fluid Attacks Database

Description

Symfony has an Authentication Bypass via RememberMe

Description

When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.

Resolution

The PersistentRememberMeHandler class now ensures the submitted username is the cookie owner.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	symfony	=5.4.23+dfsg-1 \|\| =5.4.23+dfsg-1+deb12u1 \|\| =5.4.23+dfsg-1+deb12u2 \|\| =5.4.23+dfsg-1+deb12u3 \|\| >=0 <5.4.23+dfsg-1+deb12u4	5.4.23+dfsg-1+deb12u4
debian 13	symfony	>=0 <6.4.15+dfsg-1	6.4.15+dfsg-1
packagist	symfony/security-http	>=5.3.0 <5.4.47 \|\| >=6.0.0-beta1 <6.4.15 \|\| >=7.0.0-beta1 <7.1.8	5.4.47, 6.4.15, 7.1.8
debian 14	symfony	>=0 <6.4.15+dfsg-1	6.4.15+dfsg-1

Aliases

1. CVE-2024-519962. NVD-2024-519963. OSV-DEBIAN-2024-519964. OSV-2024-519965. GHSA-cg23-qf8f-62rr6. GCVE-2024-519967. SECURITY-TRACKER-CVE-2024-51996

References

1. https://github.com/moften/CVE-2024-519962. https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr3. https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2024-51996.yaml5. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51996.yaml6. https://symfony.com/cve-2024-51996

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.