CVE-2024-51996 HIGH

CVE-2024-51996: Symphony has an Authentication Bypass via RememberMe

Vendor Symfony
Product symfony
Weakness CWE-287 · Improper authentication
Published November 13, 2024
Last update November 13, 2024

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass. This vulnerability is fixed in 5.4.47, 6.4.15, and 7.1.8.

Key dates

02Disclosure timeline

November 13, 2024 CVE published
November 13, 2024 Record updated