VDB

CVE-2024-50340

CVE-2024-50340 PUBLISHED CVSS 7.300000190734863 HIGH

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade. There are no known workarounds for this vulnerability.

EPSS 85.05% · 99.4th percentile

Risk Scores

CVSS v3.1
7.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score
85.05%
99.4th percentile

Affected Products

VendorProductVersions
symfonysymfony< 5.4.46, >= 7.0.0, < 7.1.7, >= 6.0.0, < 6.4.14
symfonyruntime6.0.0, 5.3.0, 7.0.0
symfonysymfony5.3.0, 6.0.0, 7.0.0
sensiolabssymfony0, 7.0.0, 6.0.0

Timeline

  • Jan 21, 1970 Security Advisory
  • Nov 6, 2024 CVE Published
  • Nov 6, 2024 Coalition ESS Score
  • Nov 6, 2024 PoC Published
  • Nov 7, 2024 EPSS Score
  • Nov 7, 2024 CVE Updated
  • Nov 9, 2024 Coalition ESS Score
  • Nov 13, 2024 PoC Published
  • Mar 20, 2025 EPSS Score
  • Mar 23, 2025 EPSS Score
  • Mar 25, 2025 EPSS Score
  • Mar 27, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›