From a71c9a1935f2bee5b2d60da73474cb6b8c2c4214 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Deruss=C3=A9?= Date: Tue, 5 Nov 2024 16:26:59 +0100 Subject: [PATCH] Add advisories for Symfony Security Release 2024-01 --- symfony/http-client/CVE-2024-50342.yaml | 47 +++++++++++++++++++ symfony/http-foundation/CVE-2024-50345.yaml | 50 +++++++++++++++++++++ symfony/process/CVE-2024-51736.yaml | 50 +++++++++++++++++++++ symfony/runtime/CVE-2024-50340.yaml | 32 +++++++++++++ symfony/security-bundle/CVE-2024-50341.yaml | 20 +++++++++ symfony/symfony/CVE-2024-50340.yaml | 32 +++++++++++++ symfony/symfony/CVE-2024-50341.yaml | 20 +++++++++ symfony/symfony/CVE-2024-50342.yaml | 47 +++++++++++++++++++ symfony/symfony/CVE-2024-50343.yaml | 50 +++++++++++++++++++++ symfony/symfony/CVE-2024-50345.yaml | 50 +++++++++++++++++++++ symfony/symfony/CVE-2024-51736.yaml | 50 +++++++++++++++++++++ symfony/validator/CVE-2024-50343.yaml | 50 +++++++++++++++++++++ 12 files changed, 498 insertions(+) create mode 100644 symfony/http-client/CVE-2024-50342.yaml create mode 100644 symfony/http-foundation/CVE-2024-50345.yaml create mode 100644 symfony/process/CVE-2024-51736.yaml create mode 100644 symfony/runtime/CVE-2024-50340.yaml create mode 100644 symfony/security-bundle/CVE-2024-50341.yaml create mode 100644 symfony/symfony/CVE-2024-50340.yaml create mode 100644 symfony/symfony/CVE-2024-50341.yaml create mode 100644 symfony/symfony/CVE-2024-50342.yaml create mode 100644 symfony/symfony/CVE-2024-50343.yaml create mode 100644 symfony/symfony/CVE-2024-50345.yaml create mode 100644 symfony/symfony/CVE-2024-51736.yaml create mode 100644 symfony/validator/CVE-2024-50343.yaml diff --git a/symfony/http-client/CVE-2024-50342.yaml b/symfony/http-client/CVE-2024-50342.yaml new file mode 100644 index 000000000..da205d398 --- /dev/null +++ b/symfony/http-client/CVE-2024-50342.yaml @@ -0,0 +1,47 @@ +title: "CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient" +link: https://symfony.com/cve-2024-50342 +cve: CVE-2024-50342 +branches: + 4.3.x: + time: ~ + versions: ['>=4.3.0', '<4.4.0'] + 4.4.x: + time: ~ + versions: ['>=4.4.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/http-client diff --git a/symfony/http-foundation/CVE-2024-50345.yaml b/symfony/http-foundation/CVE-2024-50345.yaml new file mode 100644 index 000000000..602d609ac --- /dev/null +++ b/symfony/http-foundation/CVE-2024-50345.yaml @@ -0,0 +1,50 @@ +title: "CVE-2024-50345: Open redirect via browser-sanitized URLs" +link: https://symfony.com/cve-2024-50345 +cve: CVE-2024-50345 +branches: + 2.x: + time: ~ + versions: ['>=2.0.0', '<3.0.0'] + 3.x: + time: ~ + versions: ['>=3.0.0', '<4.0.0'] + 4.x: + time: ~ + versions: ['>=4.0.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/http-foundation diff --git a/symfony/process/CVE-2024-51736.yaml b/symfony/process/CVE-2024-51736.yaml new file mode 100644 index 000000000..950cb461f --- /dev/null +++ b/symfony/process/CVE-2024-51736.yaml @@ -0,0 +1,50 @@ +title: "CVE-2024-51736: Command execution hijack on Windows with Process class" +link: https://symfony.com/cve-2024-51736 +cve: CVE-2024-51736 +branches: + 2.x: + time: ~ + versions: ['>=2.0.0', '<3.0.0'] + 3.x: + time: ~ + versions: ['>=3.0.0', '<4.0.0'] + 4.x: + time: ~ + versions: ['>=4.0.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/process diff --git a/symfony/runtime/CVE-2024-50340.yaml b/symfony/runtime/CVE-2024-50340.yaml new file mode 100644 index 000000000..0f7d84bf2 --- /dev/null +++ b/symfony/runtime/CVE-2024-50340.yaml @@ -0,0 +1,32 @@ +title: "CVE-2024-50340: Ability to change environment from query" +link: https://symfony.com/cve-2024-50340 +cve: CVE-2024-50340 +branches: + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/runtime diff --git a/symfony/security-bundle/CVE-2024-50341.yaml b/symfony/security-bundle/CVE-2024-50341.yaml new file mode 100644 index 000000000..bbfdcf056 --- /dev/null +++ b/symfony/security-bundle/CVE-2024-50341.yaml @@ -0,0 +1,20 @@ +title: "CVE-2024-50341: Security::login does not take into account custom user_checker" +link: https://symfony.com/cve-2024-50341 +cve: CVE-2024-50341 +branches: + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-07-17 08:00:00 + versions: ['>=6.4.0', '<6.4.10'] + 7.0.x: + time: 2024-07-17 08:00:00 + versions: ['>=7.0.0', '<7.0.10'] + 7.1.x: + time: 2024-07-17 08:00:00 + versions: ['>=7.1.0', '<7.1.3'] +reference: composer://symfony/security-bundle diff --git a/symfony/symfony/CVE-2024-50340.yaml b/symfony/symfony/CVE-2024-50340.yaml new file mode 100644 index 000000000..f246fda3b --- /dev/null +++ b/symfony/symfony/CVE-2024-50340.yaml @@ -0,0 +1,32 @@ +title: "CVE-2024-50340: Ability to change environment from query" +link: https://symfony.com/cve-2024-50340 +cve: CVE-2024-50340 +branches: + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/symfony diff --git a/symfony/symfony/CVE-2024-50341.yaml b/symfony/symfony/CVE-2024-50341.yaml new file mode 100644 index 000000000..dba4a2a6b --- /dev/null +++ b/symfony/symfony/CVE-2024-50341.yaml @@ -0,0 +1,20 @@ +title: "CVE-2024-50341: Security::login does not take into account custom user_checker" +link: https://symfony.com/cve-2024-50341 +cve: CVE-2024-50341 +branches: + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-07-17 08:00:00 + versions: ['>=6.4.0', '<6.4.10'] + 7.0.x: + time: 2024-07-17 08:00:00 + versions: ['>=7.0.0', '<7.0.10'] + 7.1.x: + time: 2024-07-17 08:00:00 + versions: ['>=7.1.0', '<7.1.3'] +reference: composer://symfony/symfony diff --git a/symfony/symfony/CVE-2024-50342.yaml b/symfony/symfony/CVE-2024-50342.yaml new file mode 100644 index 000000000..472f210ba --- /dev/null +++ b/symfony/symfony/CVE-2024-50342.yaml @@ -0,0 +1,47 @@ +title: "CVE-2024-50342: Internal address and port enumeration allowed by NoPrivateNetworkHttpClient" +link: https://symfony.com/cve-2024-50342 +cve: CVE-2024-50342 +branches: + 4.3.x: + time: ~ + versions: ['>=4.3.0', '<4.4.0'] + 4.4.x: + time: ~ + versions: ['>=4.4.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/symfony diff --git a/symfony/symfony/CVE-2024-50343.yaml b/symfony/symfony/CVE-2024-50343.yaml new file mode 100644 index 000000000..348b7f957 --- /dev/null +++ b/symfony/symfony/CVE-2024-50343.yaml @@ -0,0 +1,50 @@ +title: "CVE-2024-50343: Incorrect response from Validator when input ends with `\n`" +link: https://symfony.com/cve-2024-50343 +cve: CVE-2024-50343 +branches: + 2.x: + time: ~ + versions: ['>=2.0.0', '<3.0.0'] + 3.x: + time: ~ + versions: ['>=3.0.0', '<4.0.0'] + 4.x: + time: ~ + versions: ['>=4.0.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-08-30 08:00:00 + versions: ['>=5.4.0', '<5.4.43'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-08-30 08:00:00 + versions: ['>=6.4.0', '<6.4.11'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-08-30 08:00:00 + versions: ['>=7.1.0', '<7.1.4'] +reference: composer://symfony/symfony diff --git a/symfony/symfony/CVE-2024-50345.yaml b/symfony/symfony/CVE-2024-50345.yaml new file mode 100644 index 000000000..7d2d853d0 --- /dev/null +++ b/symfony/symfony/CVE-2024-50345.yaml @@ -0,0 +1,50 @@ +title: "CVE-2024-50345: Open redirect via browser-sanitized URLs" +link: https://symfony.com/cve-2024-50345 +cve: CVE-2024-50345 +branches: + 2.x: + time: ~ + versions: ['>=2.0.0', '<3.0.0'] + 3.x: + time: ~ + versions: ['>=3.0.0', '<4.0.0'] + 4.x: + time: ~ + versions: ['>=4.0.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/symfony diff --git a/symfony/symfony/CVE-2024-51736.yaml b/symfony/symfony/CVE-2024-51736.yaml new file mode 100644 index 000000000..d752c39ff --- /dev/null +++ b/symfony/symfony/CVE-2024-51736.yaml @@ -0,0 +1,50 @@ +title: "CVE-2024-51736: Command execution hijack on Windows with Process class" +link: https://symfony.com/cve-2024-51736 +cve: CVE-2024-51736 +branches: + 2.x: + time: ~ + versions: ['>=2.0.0', '<3.0.0'] + 3.x: + time: ~ + versions: ['>=3.0.0', '<4.0.0'] + 4.x: + time: ~ + versions: ['>=4.0.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=5.4.0', '<5.4.46'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-11-05 08:00:00 + versions: ['>=6.4.0', '<6.4.14'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-11-05 08:00:00 + versions: ['>=7.1.0', '<7.1.7'] +reference: composer://symfony/symfony diff --git a/symfony/validator/CVE-2024-50343.yaml b/symfony/validator/CVE-2024-50343.yaml new file mode 100644 index 000000000..6590f4d00 --- /dev/null +++ b/symfony/validator/CVE-2024-50343.yaml @@ -0,0 +1,50 @@ +title: "CVE-2024-50343: Incorrect response from Validator when input ends with `\n`" +link: https://symfony.com/cve-2024-50343 +cve: CVE-2024-50343 +branches: + 2.x: + time: ~ + versions: ['>=2.0.0', '<3.0.0'] + 3.x: + time: ~ + versions: ['>=3.0.0', '<4.0.0'] + 4.x: + time: ~ + versions: ['>=4.0.0', '<5.0.0'] + 5.0.x: + time: ~ + versions: ['>=5.0.0', '<5.1.0'] + 5.1.x: + time: ~ + versions: ['>=5.1.0', '<5.2.0'] + 5.2.x: + time: ~ + versions: ['>=5.2.0', '<5.3.0'] + 5.3.x: + time: ~ + versions: ['>=5.3.0', '<5.4.0'] + 5.4.x: + time: 2024-08-30 08:00:00 + versions: ['>=5.4.0', '<5.4.43'] + 6.0.x: + time: ~ + versions: ['>=6.0.0', '<6.1.0'] + 6.1.x: + time: ~ + versions: ['>=6.1.0', '<6.2.0'] + 6.2.x: + time: ~ + versions: ['>=6.2.0', '<6.3.0'] + 6.3.x: + time: ~ + versions: ['>=6.3.0', '<6.4.0'] + 6.4.x: + time: 2024-08-30 08:00:00 + versions: ['>=6.4.0', '<6.4.11'] + 7.0.x: + time: ~ + versions: ['>=7.0.0', '<7.1.0'] + 7.1.x: + time: 2024-08-30 08:00:00 + versions: ['>=7.1.0', '<7.1.4'] +reference: composer://symfony/validator