CVE-2024-36611

Dec. 3, 2024, 9:15 p.m.

7.5
High

Description

In Symfony v7.07, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service. NOTE: the Supplier has concluded that this is a false report.

Product(s) Impacted

Product Versions
Symfony
  • ['7.07']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
https://github.com/github/advisory-database/pull/5046
https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018

Tags

cve@mitre.org
CWE-863
2024-11-29
CVE-2024-36611

CVSS Score

7.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

    View Vector String

Timeline

Published: Nov. 29, 2024, 7:15 p.m.
Last Modified: Dec. 3, 2024, 9:15 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.