Skip to content
This repository has been archived by the owner on Dec 5, 2024. It is now read-only.

symfony/runtime-v6.2.8: 1 vulnerabilities (highest severity is: 7.3) #619

Open
mend-bolt-for-github bot opened this issue Nov 7, 2024 · 0 comments
Open

symfony/runtime-v6.2.8: 1 vulnerabilities (highest severity is: 7.3) #619

mend-bolt-for-github bot opened this issue Nov 7, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link
Contributor

Vulnerable Library - symfony/runtime-v6.2.8

Enables decoupling PHP applications from global state

Library home page: https://api.github.com/repos/symfony/runtime/zipball/f8b0751b33888329be8f8f0481bb81d279ec4157

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/runtime-v6.2.8 version) Remediation Possible**
CVE-2024-50340 High 7.3 symfony/runtime-v6.2.8 Direct symfony/runtime - v5.4.46,v6.4.14,v7.1.7

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-50340

Vulnerable Library - symfony/runtime-v6.2.8

Enables decoupling PHP applications from global state

Library home page: https://api.github.com/repos/symfony/runtime/zipball/f8b0751b33888329be8f8f0481bb81d279ec4157

Dependency Hierarchy:

  • symfony/runtime-v6.2.8 (Vulnerable Library)

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Found in base branch: develop

Vulnerability Details

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the "register_argv_argc" php directive is set to "on" , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the "SymfonyRuntime" now ignores the "argv" values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2024-11-06

URL: CVE-2024-50340

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-x8vp-gf4q-mw5j

Release Date: 2024-11-06

Fix Resolution: symfony/runtime - v5.4.46,v6.4.14,v7.1.7

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Nov 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants