CVE-2024-51736

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2024-51736

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51736.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-51736

Aliases

GHSA-qq5c-677p-737q

Published

2024-11-06T20:51:38.536Z

Modified

2026-04-10T05:14:55.765905Z

Severity

0.0 (None) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N CVSS Calculator

Summary

Command execution hijack on Windows with Process class in symfony/process

Details

Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific

{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-77"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/51xxx/CVE-2024-51736.json"
}

References

Affected packages

Git / github.com/symfony/symfony

Affected ranges

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

Fixed

057d88bef2d18a10d3b0b8fb093332131dc58e2f

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.4.46"
        }
    ]
}

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

aa4e97099b5a67bdc9f2387fe8d099f5c712f81c

Fixed

d1797e5b5b549673b1d5aac7a081af8db9f258e6

Database specific

{
    "versions": [
        {
            "introduced": "6.0.0"
        },
        {
            "fixed": "6.4.14"
        }
    ]
}

Type

GIT

Repo

https://github.com/symfony/symfony

Events

Introduced

d78c5f403d7ee794993660b1d5155536edd36fc1

Fixed

5001143568bc2bce9ec77f7a85076aa75d38795e

Database specific

{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.1.7"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.0.0-RC1

v2.0.0-RC2

v2.0.0-RC3

v2.0.0-RC4

v2.0.0-RC5

v2.0.0-RC6

v2.0.0BETA1

v2.0.0BETA2

v2.0.0BETA3

v2.0.0BETA4

v2.0.0BETA5

v2.0.0PR8

v2.1.0

v2.1.0-BETA1

v2.1.0-BETA2

v2.1.0-BETA3

v2.1.0-BETA4

v2.1.0-RC1

v2.1.0-RC2

v2.2.0-BETA1

v2.2.0-BETA2

v2.3.0-BETA1

v2.3.0-BETA2

v2.4.0-BETA1

v2.4.0-BETA2

v2.5.0-BETA1

v2.5.0-BETA2

v2.6.0-BETA1

v3.*

v3.0.0

v3.0.0-BETA1

v3.2.0-BETA1

v3.2.0-RC1

v3.3.0-BETA1

v4.*

v4.0.0-BETA1

v4.0.0-BETA2

v4.0.0-BETA3

v4.0.0-BETA4

v4.2.0-BETA1

v4.2.0-BETA2

v4.3.0-BETA1

v5.*

v5.0.0-BETA1

v5.0.0-BETA2

v5.0.0-RC1

v5.1.0-BETA1

v5.2.0-BETA1

v5.2.0-BETA2

v5.2.0-BETA3

v5.3.0-BETA1

v5.3.0-BETA2

v5.3.0-BETA3

v5.3.0-BETA4

v5.4.0

v5.4.0-BETA1

v5.4.0-BETA2

v5.4.0-BETA3

v5.4.0-RC1

v5.4.1

v5.4.10

v5.4.11

v5.4.12

v5.4.13

v5.4.14

v5.4.15

v5.4.16

v5.4.17

v5.4.18

v5.4.19

v5.4.2

v5.4.20

v5.4.21

v5.4.22

v5.4.23

v5.4.24

v5.4.25

v5.4.26

v5.4.27

v5.4.28

v5.4.29

v5.4.3

v5.4.30

v5.4.31

v5.4.32

v5.4.33

v5.4.34

v5.4.35

v5.4.36

v5.4.37

v5.4.38

v5.4.39

v5.4.4

v5.4.40

v5.4.41

v5.4.42

v5.4.43

v5.4.44

v5.4.45

v5.4.5

v5.4.6

v5.4.7

v5.4.8

v5.4.9

Other

vPR3

vPR4

vPR5

vPR6

vPR8

vPR9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-51736.json"