DEBIAN-CVE-2024-50340

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2024-50340
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-50340.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2024-50340
Upstream
Published
2024-11-06T21:15:05Z
Modified
2025-09-25T04:18:44.212708Z
Summary
[none]
Details

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the register_argv_argc php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the SymfonyRuntime now ignores the argv values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References

Affected packages

Debian:12 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.4.23+dfsg-1+deb12u3

Affected versions

5.*

5.4.23+dfsg-1
5.4.23+dfsg-1+deb12u1
5.4.23+dfsg-1+deb12u2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.14+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / symfony

Package

Name
symfony
Purl
pkg:deb/debian/symfony?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.4.14+dfsg-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}