GHSA-jxgr-3v7q-3w9v
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jxgr-3v7q-3w9v
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-jxgr-3v7q-3w9v/GHSA-jxgr-3v7q-3w9v.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-jxgr-3v7q-3w9v
- Aliases
- Published
- 2024-11-06T15:13:42Z
- Modified
- 2024-11-07T00:46:16.846784Z
- Severity
-
- 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Symfony's `Security::login` does not take into account custom `user_checker`
- Details
-
Description
The custom
user_checkerdefined on a firewall is not called when Login Programmaticaly with theSecurity::loginmethod, leading to unwanted login.Resolution
The
Security::loginmethod now ensure to call the configureduser_checker.The patch for this issue is available here for branch 6.4.
Credits
We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.
- Database specific
{ "nvd_published_at": "2024-11-06T21:15:05Z", "cwe_ids": [ "CWE-287" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2024-11-06T15:13:42Z" }- References
-
- https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v
- https://nvd.nist.gov/vuln/detail/CVE-2024-50341
- https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2024-50341.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50341.yaml
- https://github.com/symfony/symfony
- https://symfony.com/cve-2024-50341
Affected packages
Packagist / symfony/security-bundle
Package
- Name
- symfony/security-bundle
- Purl
- pkg:composer/symfony/security-bundle
Affected versions
v6.*
v6.2.0
v6.2.2
v6.2.3
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-RC1
v6.3.0-RC2
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.11
v6.3.12
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
Packagist / symfony/security-bundle
Package
- Name
- symfony/security-bundle
- Purl
- pkg:composer/symfony/security-bundle
Packagist / symfony/security-bundle
Package
- Name
- symfony/security-bundle
- Purl
- pkg:composer/symfony/security-bundle
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Affected versions
v6.*
v6.2.0
v6.2.1
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.9
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.2.14
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-BETA3
v6.3.0-RC1
v6.3.0-RC2
v6.3.0
v6.3.1
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9
v6.3.10
v6.3.11
v6.3.12
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0-RC2
v6.4.0
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony
Packagist / symfony/symfony
Package
- Name
- symfony/symfony
- Purl
- pkg:composer/symfony/symfony