Vulnerabilities affecting this package (0)
| Vulnerability |
Summary |
Fixed by |
|
This package is not known to be affected by vulnerabilities.
|
Vulnerabilities fixed by this package (2)
| Vulnerability |
Summary |
Aliases |
|
VCID-8kq8-2mv9-s3ad
|
Symfony allows internal address and port enumeration by NoPrivateNetworkHttpClient
### Description
When using the `NoPrivateNetworkHttpClient`, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.
### Resolution
The `NoPrivateNetworkHttpClient` now filters blocked IPs earlier to prevent such leaks.
The fisrt patch for this issue is available [here](https://github.com/symfony/symfony/commit/296d4b34a33b1a6ca5475c6040b3203622520f5b) for branch 5.4.
The second one is available [here](https://github.com/symfony/symfony/commit/b4bf5afdbdcb2fd03da513ee03beeabeb551e5fa) for branch 5.4 also.
### Credits
We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.
|
CVE-2024-50342
GHSA-9c3x-r3wp-mgxm
|
|
VCID-sbsb-u8u5-4bcm
|
Symfony has an Authentication Bypass via RememberMe
### Description
When consuming a persisted remember-me cookie, Symfony does not check if the username persisted in the database matches the username attached with the cookie, leading to authentication bypass.
### Resolution
The `PersistentRememberMeHandler` class now ensures the submitted username is the cookie owner.
The patch for this issue is available [here](https://github.com/symfony/symfony/commit/81354d392c5f0b7a52bcbd729d6f82501e94135a) for branch 5.4.
### Credits
We would like to thank Moritz Rauch - Pentryx AG for reporting the issue and Jérémy Derussé for providing the fix.
|
CVE-2024-51996
GHSA-cg23-qf8f-62rr
|