Detections
Analytics
Symfony < 5.4.46 / 6.x < 6.4.14 / 7.x < 7.1.7 Improper Input Handling
high Web App Scanning Plugin ID 114497
Language:
Synopsis
Symfony < 5.4.46 / 6.x < 6.4.14 / 7.x < 7.1.7 Improper Input HandlingDescription
Symfony versions prior to 5.4.46 or 6.x prior to 6.4.14 or 7.x prior to 7.1.7 is vulnerable when the register_argc_argv php directive is set to 'on' and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.Solution
Upgrade to Symfony version 5.4.46 or 6.4.14 or 7.1.7 or later.See Also
https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
https://symfony.com/blog/cve-2024-50340-ability-to-change-environment-from-query
Plugin Details
Severity: High
ID: 114497
Type: remote
Family: Component Vulnerability
Published: 11/7/2024
Updated: 11/8/2024
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 4.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2024-50340
CVSS v3
Risk Factor: High
Base Score: 7.3
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CVSS Score Source: CVE-2024-50340
Vulnerability Information
CPE: cpe:2.3:a:sensiolabs:symfony:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 11/5/2024
Vulnerability Publication Date: 11/6/2024
Reference Information
CVE: CVE-2024-50340
CWE: 74
OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6
WASC: Improper Input Handling
CAPEC: 10, 101, 108, 120, 13, 135, 14, 24, 250, 267, 273, 28, 3, 34, 42, 43, 45, 46, 47, 51, 52, 53, 6, 64, 67, 7, 71, 72, 76, 78, 79, 8, 80, 83, 84, 9
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5