Search for vulnerabilities
Vulnerability details: VCID-hm1q-8mjy-47ek
Vulnerability ID VCID-hm1q-8mjy-47ek
Aliases CVE-2024-36611
GHSA-7q22-x757-cmgc
Summary Withdrawn Advisory: Symfony http-security has authentication bypass ## Withdrawn Advisory This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046. ## Original Description In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-287 Improper Authentication
CWE-863 Incorrect Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00847 https://api.first.org/data/v1/epss?cve=CVE-2024-36611
epss 0.00847 https://api.first.org/data/v1/epss?cve=CVE-2024-36611
cvssv3.1 7.5 https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
generic_textual MODERATE https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
ssvc Track https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-7q22-x757-cmgc
cvssv3.1 7.5 https://github.com/github/advisory-database/pull/5046
generic_textual MODERATE https://github.com/github/advisory-database/pull/5046
ssvc Track https://github.com/github/advisory-database/pull/5046
cvssv3.1 7.5 https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
generic_textual MODERATE https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
ssvc Track https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
cvssv3.1 7.5 https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
generic_textual MODERATE https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
ssvc Track https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
cvssv3.1 7.5 https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
generic_textual MODERATE https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
ssvc Track https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2024-36611
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2024-36611
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2024-36611
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36611
https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
https://github.com/github/advisory-database/pull/5046
https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
https://nvd.nist.gov/vuln/detail/CVE-2024-36611
1088817 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088817
GHSA-7q22-x757-cmgc https://github.com/advisories/GHSA-7q22-x757-cmgc
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:19:25Z/ Found at https://gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/github/advisory-database/pull/5046
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:19:25Z/ Found at https://github.com/github/advisory-database/pull/5046
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:19:25Z/ Found at https://github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php#L132
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:19:25Z/ Found at https://github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T15:19:25Z/ Found at https://github.com/symfony/symfony/issues/59077#issuecomment-2513935018
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-36611
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.73823
EPSS Score 0.00847
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:10:39.172572+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-7q22-x757-cmgc/GHSA-7q22-x757-cmgc.json 36.1.3