Symfony Runtime Ignores Arguments in Non-SAPI PHP Runtimes
CVE-2024-50340

Currently unrated

Key Information:

Vendor
Symfony
Vendor
CVE Published:
6 November 2024

Badges

🟣 EPSS 82%📰 News Worthy

Summary

The vulnerability CVE-2024-50340 affects the Symfony Runtime component in versions =6, =7, and <7.1.7, allowing unauthorized access to sensitive resources. By appending ?+--env=dev to a URL, attackers can force the application into the dev environment, granting remote access to the Symfony profiler. This can lead to the leaking of sensitive information and potentially executing arbitrary code. The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7, and all users are advised to upgrade. There are no known workarounds for this vulnerability.

News Articles

favicon imageIONIX

Understanding CVE-2024-50340 - Remote Access to Symfony Profiler - IONIX

CVE-2024-50340 A security issue in Symfony versions =6, =7, <7.1.7 of the Symfony Runtime component allows unauthorized access to sensitive resources.

References

https://github.com/symfony/symfony/security/advisories/GH...
https://github.com/symfony/symfony/commit/a77b308c3f179ed...

EPSS Score

82% chance of being exploited in the next 30 days.

Timeline

  • 📰

    First article discovered by IONIX

  • Vulnerability published

.