CVE-2024-50340
Description
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 6.4.14+dfsg-1 |
| sid | Fixed | 6.4.14+dfsg-1 |
| forky | Fixed | 6.4.14+dfsg-1 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 5.4.23+dfsg-1+deb12u3 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Packagist | symfony/runtime | >=5.3.0,<5.4.46 | 5.4.46 |
| Packagist | symfony/runtime | >=6.0.0,<6.4.14 | 6.4.14 |
| Packagist | symfony/runtime | >=7.0.0,<7.1.7 | 7.1.7 |
| Packagist | symfony/symfony | >=5.3.0,<5.4.46 | 5.4.46 |
| Packagist | symfony/symfony | >=6.0.0,<6.4.14 | 6.4.14 |
| Packagist | symfony/symfony | >=7.0.0,<7.1.7 | 7.1.7 |
References
- https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
- https://nvd.nist.gov/vuln/detail/CVE-2024-50340
- https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/runtime/CVE-2024-50340.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50340.yaml
- https://github.com/symfony/symfony
- https://symfony.com/cve-2024-50340
- https://security-tracker.debian.org/tracker/CVE-2024-50340
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.