Fluid Attacks Database

Description

Symfony vulnerable to command execution hijack on Windows with Process class

Description

On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.

Resolution

The Process class now uses the absolute path to cmd.exe.

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	symfony/process	>=0 <5.4.46 \|\| >=6.0.0 <6.4.14 \|\| >=7.0.0 <7.1.7	5.4.46, 6.4.14, 7.1.7
packagist	symfony/symfony	>=0 <5.4.46 \|\| >=6.0.0 <6.4.14 \|\| >=7.0.0 <7.1.7	5.4.46, 6.4.14, 7.1.7

Aliases

1. CVE-2024-517362. NVD-2024-517363. OSV-2024-517364. GHSA-qq5c-677p-737q5. GCVE-2024-51736

References

1. https://github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q2. https://github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c93. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml4. https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml5. https://symfony.com/cve-2024-51736

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.