Homepage
About Snyk

Authentication Bypass Affecting symfony/security-http package, versions >=5.3.0, <5.4.47 >=6.0.0-BETA1, <6.4.15 >=7.0.0-BETA1, <7.1.8

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PHP-SYMFONYSECURITYHTTP-8378053
  • published 14 Nov 2024
  • disclosed 13 Nov 2024
  • credit Moritz Rauch - Pentryx AG
Report a new vulnerability Found a mistake?

Introduced: 13 Nov 2024

New CVE-2024-51996 Open this link in a new tab
CWE-287 Open this link in a new tab

How to fix?

Upgrade symfony/security-http to version 5.4.47, 6.4.15, 7.1.8 or higher.

Overview

symfony/security-http is a provides an infrastructure for sophisticated authorization systems, which makes it possible to easily separate the actual authorization logic from so called user providers that hold the users credentials.

Affected versions of this package are vulnerable to Authentication Bypass via the consumeRememberMeCookie function due to improper validation between the username persisted in the database and the username attached to the cookie.

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
8.7 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    High
  • Integrity (VI)
    None
  • Availability (VA)
    None
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None