GHSA-jxgr-3v7q-3w9v

Suggest an improvement
Source
https://github.com/advisories/GHSA-jxgr-3v7q-3w9v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-jxgr-3v7q-3w9v/GHSA-jxgr-3v7q-3w9v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jxgr-3v7q-3w9v
Aliases
Published
2024-11-06T15:13:42Z
Modified
2024-11-07T00:46:16.846784Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Symfony's `Security::login` does not take into account custom `user_checker`
Details

Description

The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login.

Resolution

The Security::login method now ensure to call the configured user_checker.

The patch for this issue is available here for branch 6.4.

Credits

We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.

Database specific 
{
    "nvd_published_at": "2024-11-06T21:15:05Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "LOW",
    "github_reviewed_at": "2024-11-06T15:13:42Z",
    "github_reviewed": true
}
References

Affected packages

Packagist

symfony/security-bundle

Package

Name
symfony/security-bundle
Purl
pkg:composer/symfony/security-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.4.10

Affected versions

v6.*

v6.2.0
v6.2.2
v6.2.3
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-RC1
v6.3.0-RC2
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.11
v6.3.12
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9

symfony/security-bundle

Package

Name
symfony/security-bundle
Purl
pkg:composer/symfony/security-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.10

Affected versions

v7.*

v7.0.0
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9

symfony/security-bundle

Package

Name
symfony/security-bundle
Purl
pkg:composer/symfony/security-bundle

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.1.0
Fixed
7.1.3

Affected versions

v7.*

v7.1.0
v7.1.1
v7.1.2

symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.4.10

Affected versions

v6.*

v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.9
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.2.14
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-BETA3
v6.3.0-RC1
v6.3.0-RC2
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9
v6.3.10
v6.3.11
v6.3.12
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0-RC2
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9

symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.10

Affected versions

v7.*

v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9

symfony/symfony

Package

Name
symfony/symfony
Purl
pkg:composer/symfony/symfony

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.1.0
Fixed
7.1.3

Affected versions

v7.*

v7.1.0
v7.1.1
v7.1.2