Symfony Runtime Ignores Arguments in Non-SAPI PHP Runtimes
CVE-2024-50340

Currently unrated

Key Information:

Vendor: Symfony
Vendor: CVE Published:; 6 November 2024

Badges

🟣 EPSS 85%📰 News Worthy

What is CVE-2024-50340?

The vulnerability CVE-2024-50340 affects the Symfony Runtime component in versions =6, =7, and <7.1.7, allowing unauthorized access to sensitive resources. By appending ?+--env=dev to a URL, attackers can force the application into the dev environment, granting remote access to the Symfony profiler. This can lead to the leaking of sensitive information and potentially executing arbitrary code. The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7, and all users are advised to upgrade. There are no known workarounds for this vulnerability.

News Articles

IONIX

CVE-2024-50340

Understanding CVE-2024-50340 - Remote Access to Symfony Profiler - IONIX

CVE-2024-50340 A security issue in Symfony versions =6, =7, <7.1.7 of the Symfony Runtime component allows unauthorized access to sensitive resources.

References

https://github.com/symfony/symfony/security/advisories/GH...

https://github.com/symfony/symfony/commit/a77b308c3f179ed...

EPSS Score

85% chance of being exploited in the next 30 days.

Download the Critical Vulnerability Management Cheat Sheet

Timeline

📰
First article discovered by IONIX
Nov 12, 2024
Vulnerability published
Nov 6, 2024