CVE-2024-50341

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-50341
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50341.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-50341
Aliases
Downstream
Published
2024-11-06T21:06:49.426Z
Modified
2025-12-05T07:18:50.165524Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Security::login does not take into account custom user_checker in symfony/security-bundle
Details

symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the Security::login method now ensure to call the configured user_checker. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50341.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
ed9b9e7795c3e30c6d70c6ecf013a28910f6e15e
Fixed
938c0728518f9df199477d90ee43838359f81a7a
Database specific 
{
    "versions": [
        {
            "introduced": "6.2.0"
        },
        {
            "fixed": "6.4.10"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
d78c5f403d7ee794993660b1d5155536edd36fc1
Fixed
96e43bf86ac6126cc61a634b34987821b69f7af9
Database specific 
{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.10"
        }
    ]
}
Type
GIT
Repo
https://github.com/symfony/symfony
Events
Introduced
08964d6da4787cd5f19e60f8aaf41ffd26d6c8c3
Fixed
60ccc390f438c3a11b601d385b77c6f2431ffc5d
Database specific 
{
    "versions": [
        {
            "introduced": "7.1.0"
        },
        {
            "fixed": "7.1.3"
        }
    ]
}

Affected versions

v4.*

v4.4.50
v4.4.51

v5.*

v5.4.17
v5.4.18
v5.4.19
v5.4.20
v5.4.21
v5.4.22
v5.4.23
v5.4.24
v5.4.25
v5.4.26
v5.4.27
v5.4.28
v5.4.29
v5.4.30
v5.4.31
v5.4.32
v5.4.33
v5.4.34
v5.4.35
v5.4.36
v5.4.37
v5.4.38
v5.4.39
v5.4.40
v5.4.41

v6.*

v6.0.17
v6.0.18
v6.0.19
v6.1.10
v6.1.11
v6.1.9
v6.2.0
v6.2.1
v6.2.10
v6.2.11
v6.2.12
v6.2.13
v6.2.14
v6.2.2
v6.2.3
v6.2.4
v6.2.5
v6.2.6
v6.2.7
v6.2.8
v6.2.9
v6.3.0
v6.3.0-BETA1
v6.3.0-BETA2
v6.3.0-BETA3
v6.3.0-RC1
v6.3.0-RC2
v6.3.1
v6.3.10
v6.3.11
v6.3.12
v6.3.2
v6.3.3
v6.3.4
v6.3.5
v6.3.6
v6.3.7
v6.3.8
v6.3.9
v6.4.0
v6.4.0-BETA1
v6.4.0-BETA2
v6.4.0-BETA3
v6.4.0-RC1
v6.4.0-RC2
v6.4.1
v6.4.2
v6.4.3
v6.4.4
v6.4.5
v6.4.6
v6.4.7
v6.4.8
v6.4.9

v7.*

v7.0.0
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.9
v7.1.0
v7.1.1
v7.1.2