Skip to content
This repository has been archived by the owner on Dec 5, 2024. It is now read-only.

symfony/framework-bundle-v6.2.9: 1 vulnerabilities (highest severity is: 9.8) #622

Open
mend-bolt-for-github bot opened this issue Dec 5, 2024 · 0 comments
Open

symfony/framework-bundle-v6.2.9: 1 vulnerabilities (highest severity is: 9.8) #622

mend-bolt-for-github bot opened this issue Dec 5, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-bolt-for-github
Copy link
Contributor

Vulnerable Library - symfony/framework-bundle-v6.2.9

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (symfony/framework-bundle-v6.2.9 version) Remediation Possible**
CVE-2024-36610 Critical 9.8 symfony/var-dumper-v6.2.8 Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-36610

Vulnerable Library - symfony/var-dumper-v6.2.8

Provides mechanisms for walking through any arbitrary PHP variable

Library home page: https://api.github.com/repos/symfony/var-dumper/zipball/d37ab6787be2db993747b6218fcc96e8e3bb4bd0

Dependency Hierarchy:

  • symfony/framework-bundle-v6.2.9 (Root Library)
    • symfony/error-handler-v6.2.9
      • symfony/var-dumper-v6.2.8 (Vulnerable Library)

Found in HEAD commit: 25671a7609a83910381d92265b840e9e308bd5dd

Found in base branch: develop

Vulnerability Details

A deserialization vulnerability exists in the Stub class of the VarDumper module in Symfony v7.0.3. The vulnerability stems from deficiencies in the original implementation when handling properties with null or uninitialized values. An attacker could construct specific serialized data and use this vulnerability to execute unauthorized code. NOTE: the Supplier has concluded that this is a false report.

Publish Date: 2024-11-29

URL: CVE-2024-36610

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://gist.github.com/1047524396/24e93f2905850235e42ad7db6e878bd5

Release Date: 2024-11-29

Fix Resolution: v6.4.4,v7.0.4

Step up your Open Source Security Game with Mend here
@mend-bolt-for-github mend-bolt-for-github bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Dec 5, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants