CVE-2024-50341

symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the Security::login method now ensure to call the configured user_checker. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50341.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-287"
    ]
}

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

ed9b9e7795c3e30c6d70c6ecf013a28910f6e15e

Fixed

938c0728518f9df199477d90ee43838359f81a7a

Database specific

{
    "versions": [
        {
            "introduced": "6.2.0"
        },
        {
            "fixed": "6.4.10"
        }
    ]
}

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

d78c5f403d7ee794993660b1d5155536edd36fc1

Fixed

96e43bf86ac6126cc61a634b34987821b69f7af9

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.10"
        }
    ]
}

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

08964d6da4787cd5f19e60f8aaf41ffd26d6c8c3

Fixed

60ccc390f438c3a11b601d385b77c6f2431ffc5d

Database specific

{
    "versions": [
        {
            "introduced": "7.1.0"
        },
        {
            "fixed": "7.1.3"
        }
    ]
}

Affected versions

v7.*

v7.0.0

v7.0.1

v7.0.2

v7.0.3

v7.0.4

v7.0.5

v7.0.6

v7.0.7

v7.0.8

v7.0.9

v7.1.0

v7.1.1

v7.1.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50341.json"