CVE-2024-51996

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-51996
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-51996.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-51996
Aliases
Downstream
Published
2024-11-13T16:18:49.473Z
Modified
2025-11-28T02:35:00.191403Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Symphony has an Authentication Bypass via RememberMe
Details

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51996.json",
    "cwe_ids": [
        "CWE-287",
        "CWE-289"
    ]
}
References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
bc3abacc8bed6ca1e6924bed48580b85eccf4e82
Fixed
d869cc180cf38d3848feff1dcf38fefaecfd8177
Database specific 
{
    "versions": [
        {
            "introduced": "5.3.0"
        },
        {
            "fixed": "5.4.47"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
67778bf0d384584bc59bb618a91ef6b08e9153c6
Fixed
cfb00ec539f6a3b5a9fb43c8cba67a21725e8937
Database specific 
{
    "versions": [
        {
            "introduced": "6.0.0-BETA1"
        },
        {
            "fixed": "6.4.15"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
ed57652df42aef294f411ef53dcfa5d6b7da2f90
Fixed
fa8dfde81afc7854283eb4c0261213dc098d4930
Database specific 
{
    "versions": [
        {
            "introduced": "7.0.0-BETA1"
        },
        {
            "fixed": "7.1.8"
        }
    ]
}