GHSA-cg23-qf8f-62rr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cg23-qf8f-62rr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-cg23-qf8f-62rr/GHSA-cg23-qf8f-62rr.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-cg23-qf8f-62rr
- Aliases
- Published
- 2024-11-13T18:29:04Z
- Modified
- 2024-11-15T00:00:56.485278Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Symfony has an Authentication Bypass via RememberMe
- Details
-
Description
When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.
Resolution
The
PersistentRememberMeHandlerclass now ensures the submitted username is the cookie owner.The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.
- Database specific
{ "nvd_published_at": "2024-11-13T17:15:11Z", "cwe_ids": [ "CWE-287", "CWE-289" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-13T18:29:04Z" }- References
-
- https://github.com/symfony/symfony/security/advisories/GHSA-cg23-qf8f-62rr
- https://nvd.nist.gov/vuln/detail/CVE-2024-51996
- https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-http/CVE-2024-51996.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51996.yaml
- https://github.com/symfony/symfony
- https://symfony.com/cve-2024-51996
Affected packages
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Affected versions
v5.*
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.6
v5.3.7
v5.3.8
v5.3.10
v5.3.11
v5.3.13
v5.3.14
v5.4.0-BETA1
v5.4.0-BETA2
v5.4.0-RC1
v5.4.0
v5.4.2
v5.4.3
v5.4.5
v5.4.8
v5.4.9
v5.4.10
v5.4.11
v5.4.12
v5.4.13
v5.4.15
v5.4.17
v5.4.19
v5.4.20
v5.4.21
v5.4.22
v5.4.23
v5.4.26
v5.4.28
v5.4.30
v5.4.31
v5.4.35
v5.4.36
v5.4.38
v5.4.39
v5.4.40
v5.4.41
v5.4.43
v5.4.44
v5.4.45
v5.4.46
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http
Affected versions
v6.*
v6.0.0-BETA1
v6.0.0-BETA2
v6.0.0-RC1
v6.0.0
v6.0.1
v6.0.2
v6.0.3
v6.0.5
v6.0.7
v6.0.8
v6.0.9
v6.0.10
v6.0.11
v6.0.12
v6.0.13
v6.0.14
v6.0.15
v6.0.17
v6.0.19
v6.0.20
v6.1.0-BETA1
v6.1.0-BETA2
v6.1.0-RC1
v6.1.0
v6.1.1
v6.1.2
v6.1.3
v6.1.4
v6.1.5
v6.1.6
v6.1.7
v6.1.9
v6.1.11
v6.1.12
v6.2.0-BETA1
v6.2.0-BETA3
v6.2.0-RC1
v6.2.0
v6.2.2
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.10
v6.2.11
v6.2.13
v6.3.0-BETA1
v6.3.0-RC1
v6.3.0
v6.3.1
v6.3.2
v6.3.4
v6.3.5
v6.3.6
v6.3.8
v6.3.12
v6.4.0-BETA1
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0-RC2
v6.4.0
v6.4.3
v6.4.4
v6.4.7
v6.4.8
v6.4.9
v6.4.11
v6.4.12
v6.4.13
v6.4.14
Packagist / symfony/security-http
Package
- Name
- symfony/security-http
- Purl
- pkg:composer/symfony/security-http