CVE-2024-50340

Improper Input Validation (CWE-20)

Published: Nov 6, 2024

010
CVSS 7.3EPSS 0.04%High
CVE info copied to clipboard

Summary

When the register_argc_argv php directive is set to on, and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Impact

This vulnerability allows attackers to manipulate the environment or debug mode of the kernel during request handling. This could potentially lead to unauthorized access, information disclosure, or execution of unintended operations on the affected system. The ability to change these settings could give attackers significant control over the application's behavior, potentially compromising its security and integrity.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. According to the vulnerability data, patch details were added on 2024-11-06, and the vulnerability is marked as patched.

Mitigation

1. Update to the latest patched version of the affected software as soon as possible. 2. If immediate patching is not possible, consider disabling the register_argc_argv php directive by setting it to 'off' if it's not critical for your application's functionality. 3. Implement strong input validation and sanitization for all user-supplied data, especially in URL query strings. 4. Monitor and log any unusual activities or requests that might attempt to exploit this vulnerability. 5. Apply the principle of least privilege to limit the potential impact if the vulnerability is exploited.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Timeline

Vendor Advisory

GitHub Advisories released a security advisory.

Nov 6, 2024 at 10:02 AM
First Article

Feedly found the first article mentioning CVE-2024-50340. See article

Nov 6, 2024 at 10:21 AM / Symfony Blog
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 6, 2024 at 12:50 PM
Threat Intelligence Report

CVE-2024-50340 is a medium-risk vulnerability with four associated vulnerabilities, for which a patch is available. There is no information provided regarding its exploitation in the wild, proof-of-concept exploits, or any downstream impacts on third-party vendors or technology. Vulnerability analysts should prioritize applying the available patch to mitigate potential risks. See article

Nov 6, 2024 at 2:23 PM
CVE Assignment

NVD published the first details for CVE-2024-50340

Nov 6, 2024 at 9:15 PM
CVSS

A CVSS base score of 7.3 has been assigned.

Nov 6, 2024 at 9:20 PM / nvd
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 7, 2024 at 10:05 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (210744)

Nov 12, 2024 at 12:16 AM
Exploitation in the Wild

Attacks in the wild have been reported by Talkback Tech. See article

Nov 12, 2024 at 10:09 AM / Talkback Tech
Static CVE Timeline Graph

Affected Systems

Symfony
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

Vendor Advisory

[GHSA-x8vp-gf4q-mw5j] Symfony allows changing the environment through a query
The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes The patch for this issue is available here for branch 5.4. Package: symfony/runtime

References

Last Week in Security - 2024-11-18
The honeypot attracted attackers using tools like FFUF and Masscan, highlighting the importance of strong access controls and prompt application of security patches to mitigate cyber risks. The Problem with IoT Cloud-Connectivity and How it Exposed All OvrC Devices to Hijacking - Team82 conducted research on the security of the OvrC cloud platform, revealing 10 vulnerabilities that allowed attackers to execute code on OvrC cloud-connected devices.
Debian update for symfony
The vulnerability allows a remote attacker to bypass implemented security restrictions. The vulnerability allows a remote user to bypass security restrictions.
Symfony: 8 new security vulnerabilities discovered - Analysis and recommendations
On LRob secure web hosting, our Linux servers support your application security with ModSecurity combined with fail2ban actively blocking attempts to exploit vulnerabilities; full outsourced backups are made daily with a one-year retention period. Even the most renowned frameworks, such as Symfony, are never immune to security flaws.
See 1 more references

News

Weekly Detection Rule (YARA and Snort) Information – Week 3, November 2024
The following is the information on Yara and Snort rules (week 3, November 2024) collected and shared by the AhnLab TIP service. 1 YARA Rules Detection name Description Source MAL_ELF_Xlogin_Nov24_1 Detects xlogin backdoor samples https://github.com/Neo23x0/signature-base 4 Snort Rules Detection name Source ET WEB_SPECIFIC_APPS Symphony PHP Symfony Profiler Environment Manipulation (CVE-2024-50340) https://rules.emergingthreatspro.com/open/ ET WEB_SPECIFIC_APPS Citrix Session […] 게시물 Weekly Detection Rule (YARA and Snort) Information – Week 3, November 2024 이 ASEC 에 처음 등장했습니다.
Last Week in Security - 2024-11-18
The honeypot attracted attackers using tools like FFUF and Masscan, highlighting the importance of strong access controls and prompt application of security patches to mitigate cyber risks. The Problem with IoT Cloud-Connectivity and How it Exposed All OvrC Devices to Hijacking - Team82 conducted research on the security of the OvrC cloud platform, revealing 10 vulnerabilities that allowed attackers to execute code on OvrC cloud-connected devices.
Seclog - #100
GitHub Enterprise SAML Bypass - Analysis of critical authentication bypass vulnerabilities affecting GitHub Enterprise Server. Securing 4 C's of a Software Product - Comprehensive guide focusing on implementing AWS security measures across different product components.
Hack: Remote Access to Symfony Profiler via Injected Arguments (CVE-2024-50340).
When the PHP directive is set to "on", CVE-2024-50340 allows attackers to force Symfony applications into the environment by appending to the URL. If the route is enabled, attackers can leak Symfony's through the profiler's page and execute arbitrary code remotely, as detailed in this Ambionics blog post by Charles Fol :
AppSec Ezine #561
URL: https://link.medium.com/0t6Qbt7YkOb Description: Exploiting an Opera Vulnerability with a X-Browser Extension Store Attack. URL: https://github.com/SpecterOps/cred1py Description: Tool used to exploit CRED-1 over a SOCKS5 connection (with UDP support).
See 30 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI