CVE-2024-50342 LOW

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client

Vendor Symfony

Product symfony

Weakness CWE-200 · Info exposure

Published November 6, 2024

Last update November 7, 2024

View on NVD All CVEs

CVSS base score

3.1/10

Attack vector Network

Attack complexity High

Privileges required Low

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

symfony/http-client is a module for the Symphony PHP framework which provides powerful methods to fetch HTTP resources synchronously or asynchronously. When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration. As of versions 5.4.46, 6.4.14, and 7.1.7 the `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

November 6, 2024 CVE published

November 7, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-50342

Related vulnerabilities

Identifiers

CVE CVE-2024-50342

CWE CWE-200

CVSS 3.1 / LOW

Affected versions

Vendor Symfony

Product symfony

Affected < 5.4.46

Vendor Symfony

Product symfony

Affected >= 6.0.0, < 6.4.14

Vendor Symfony

Product symfony

Affected >= 7.0.0, < 7.1.7

CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient in symfony/http-client

01Description

02Disclosure timeline

03References

04Related CVE