CVE-2024-50345

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50345
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50345.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-50345
Aliases
Related
Published
2024-11-06T21:15:06Z
Modified
2024-11-11T21:48:44.673503Z
Summary
[none]
Details

symfony/http-foundation is a module for the Symphony PHP framework which defines an object-oriented layer for the HTTP specification. The Request class, does not parse URI with special characters the same way browsers do. As a result, an attacker can trick a validator relying on the Request class to redirect users to another domain. The Request::create methods now assert the URI does not contain invalid characters as defined by https://url.spec.whatwg.org/. This issue has been patched in versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:11 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.4.19+dfsg-2
4.4.19+dfsg-2+deb11u1
4.4.19+dfsg-2+deb11u2
4.4.19+dfsg-2+deb11u3
4.4.19+dfsg-2+deb11u4
4.4.19+dfsg-2+deb11u5
4.4.19+dfsg-2+deb11u6
4.4.19+dfsg-3

5.*

5.0.0~beta2-1
5.0.2-1
5.0.4-1
5.2.1+dfsg-1
5.2.2+dfsg-1
5.2.3+dfsg-1
5.2.4+dfsg-1
5.2.5+dfsg-1
5.2.6+dfsg-1
5.3.9+dfsg-1
5.3.10+dfsg-1
5.3.12+dfsg-1
5.3.12+dfsg-2
5.4.0~beta1+dfsg-1
5.4.0~beta2+dfsg-1
5.4.0~beta3+dfsg-1
5.4.0~rc1+dfsg-1
5.4.0~rc1+dfsg-2
5.4.0~rc1+dfsg-3
5.4.0+dfsg-1
5.4.0+dfsg-2
5.4.1+dfsg-1
5.4.2+dfsg-1
5.4.2+dfsg-2
5.4.2+dfsg-3
5.4.4+dfsg-1
5.4.6+dfsg-1
5.4.8+dfsg-1
5.4.9+dfsg-1
5.4.9+dfsg-2
5.4.10+dfsg-1
5.4.11+dfsg-1
5.4.11+dfsg-2
5.4.12+dfsg-1
5.4.12+dfsg-2
5.4.13+dfsg-1
5.4.14+dfsg-1
5.4.15+dfsg-1
5.4.16+dfsg-1
5.4.18+dfsg-1
5.4.18+dfsg-2
5.4.18+dfsg-3
5.4.19+dfsg-1
5.4.20+dfsg-1
5.4.21+dfsg-1
5.4.22+dfsg-1
5.4.22+dfsg-2
5.4.22+dfsg-3
5.4.23+dfsg-1
5.4.24+dfsg-1
5.4.25+dfsg-1
5.4.27+dfsg-1
5.4.28+dfsg-1
5.4.29+dfsg-1
5.4.30+dfsg-1
5.4.31+dfsg-1
5.4.31+dfsg-2
5.4.32+dfsg-1
5.4.33+dfsg-1
5.4.34+dfsg-1
5.4.34+dfsg-2
5.4.35+dfsg-1
5.4.35+dfsg-2
5.4.35+dfsg-3

6.*

6.3.0~rc1+dfsg-1
6.3.0~rc2+dfsg-1
6.3.0+dfsg-1
6.3.1+dfsg-1
6.3.3+dfsg-1
6.3.4+dfsg-1
6.3.5+dfsg-1
6.3.6+dfsg-1
6.3.7+dfsg-1
6.4.0~beta2+dfsg-1
6.4.0~beta3+dfsg-1
6.4.0~rc1+dfsg-1
6.4.0~rc2+dfsg-1
6.4.0+dfsg-1
6.4.1+dfsg-1
6.4.2+dfsg-1
6.4.3+dfsg-1
6.4.4+dfsg-1
6.4.4+dfsg-2
6.4.4+dfsg-3
6.4.4+dfsg-4
6.4.5+dfsg-1
6.4.5+dfsg-2
6.4.5+dfsg-3
6.4.5+dfsg-4
6.4.6+dfsg-1
6.4.7+dfsg-1
6.4.9+dfsg-1
6.4.10+dfsg-1
6.4.11+dfsg-1
6.4.12+dfsg-1
6.4.13+dfsg-1
6.4.14+dfsg-1

7.*

7.0.4+dfsg-1
7.0.5+dfsg-1
7.0.6+dfsg-1
7.0.7+dfsg-1
7.1.0~beta1+dfsg-1
7.1.0~rc1+dfsg-1
7.1.2+dfsg-1
7.1.3+dfsg-1
7.1.4+dfsg-1
7.1.5+dfsg-1
7.2.0~beta1+dfsg-1
7.2.0~beta2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4.23+dfsg-1+deb12u3

Affected versions

5.*

5.4.23+dfsg-1
5.4.23+dfsg-1+deb12u1
5.4.23+dfsg-1+deb12u2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.14+dfsg-1

Affected versions

5.*

5.4.23+dfsg-1
5.4.24+dfsg-1
5.4.25+dfsg-1
5.4.27+dfsg-1
5.4.28+dfsg-1
5.4.29+dfsg-1
5.4.30+dfsg-1
5.4.31+dfsg-1
5.4.31+dfsg-2
5.4.32+dfsg-1
5.4.33+dfsg-1
5.4.34+dfsg-1
5.4.34+dfsg-2
5.4.35+dfsg-1
5.4.35+dfsg-2
5.4.35+dfsg-3

6.*

6.3.0~rc1+dfsg-1
6.3.0~rc2+dfsg-1
6.3.0+dfsg-1
6.3.1+dfsg-1
6.3.3+dfsg-1
6.3.4+dfsg-1
6.3.5+dfsg-1
6.3.6+dfsg-1
6.3.7+dfsg-1
6.4.0~beta2+dfsg-1
6.4.0~beta3+dfsg-1
6.4.0~rc1+dfsg-1
6.4.0~rc2+dfsg-1
6.4.0+dfsg-1
6.4.1+dfsg-1
6.4.2+dfsg-1
6.4.3+dfsg-1
6.4.4+dfsg-1
6.4.4+dfsg-2
6.4.4+dfsg-3
6.4.4+dfsg-4
6.4.5+dfsg-1
6.4.5+dfsg-2
6.4.5+dfsg-3
6.4.5+dfsg-4
6.4.6+dfsg-1
6.4.7+dfsg-1
6.4.9+dfsg-1
6.4.10+dfsg-1
6.4.11+dfsg-1
6.4.12+dfsg-1
6.4.13+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}