{"id":5771,"date":"2024-11-07T10:22:34","date_gmt":"2024-11-07T09:22:34","guid":{"rendered":"https:\/\/www.lrob.fr\/?p=5771"},"modified":"2024-11-07T10:30:21","modified_gmt":"2024-11-07T09:30:21","slug":"symfony-8-security-vulnerabilities-nov-2024-analysis-recommendations","status":"publish","type":"post","link":"https:\/\/www.lrob.fr\/en\/blog\/securite\/symfony-8-failles-de-securite-nov-2024-analyse-recommandations\/","title":{"rendered":"Symfony: 8 new security vulnerabilities discovered - Analysis and recommendations"},"content":{"rendered":"<p>After a flawless year, Symfony <a href=\"https:\/\/symfony.com\/blog\/\" target=\"_blank\" rel=\"noreferrer noopener\">unveiled this November 6, 2024 on its blog<\/a> eight vulnerabilities at once. They affect different versions of the Symfony framework. Here's a summary of these critical vulnerabilities, their potential impact, and the solutions implemented by Symfony. It will help you understand the implications of these vulnerabilities for securing your applications.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Contents<\/h2><nav><ul><li class=\"\"><a href=\"#introduction\">Introduction<\/a><\/li><li class=\"\"><a href=\"#liste-des-failles-de-securite-symfony-decouvertes-novembre-2024\">Symfony security holes (November 2024)<\/a><ul><li class=\"\"><a href=\"#cve-2024-51736-detournement-dexecution-de-commande-sur-windows-avec-la-classe-process\">CVE-2024-51736: Hijacking command execution on Windows with the Process class<\/a><\/li><li class=\"\"><a href=\"#cve-2024-50341-la-methode-security-login-ignore-le-user-checker-personnalise\">CVE-2024-50341 : Security::login method ignores custom user_checker<\/a><\/li><li class=\"\"><a href=\"#cve-2024-50340-changement-denvironnement-via-une-requete\">CVE-2024-50340 : Change environment via a request<\/a><\/li><li class=\"\"><a href=\"#cve-2024-50342-enumeration-dadresses-et-de-ports-internes-via-no-private-network-http-client\">CVE-2024-50342: Enumeration of internal addresses and ports via NoPrivateNetworkHttpClient<\/a><\/li><li class=\"\"><a href=\"#cve-2024-50343-reponse-incorrecte-du-validator-avec-une-entree-se-terminant-par-n\">CVE-2024-50343 : Incorrect Validator response with input ending in \\n<\/a><\/li><li class=\"\"><a href=\"#cve-2024-50345-redirection-ouverte-via-des-ur-ls-sanitisees-par-le-navigateur\">CVE-2024-50345: Open redirection via browser-sanitized URLs<\/a><\/li><li class=\"\"><a href=\"#twig-cve-2024-51754-appels-non-proteges-a-to-string-dans-un-sandbox\">Twig CVE-2024-51754: Unprotected calls to __toString() in a sandbox<\/a><\/li><li class=\"\"><a href=\"#twig-cve-2024-51755-appels-non-proteges-a-isset-et-aux-acces-dobjets-de-type-array-dans-un-sandbox\">Twig CVE-2024-51755: Unprotected calls to __isset() and Array object accesses in a sandbox<\/a><\/li><\/ul><\/li><li class=\"\"><a href=\"#conclusion-et-recommandations-de-l-rob\">Conclusion and recommendations from LRob<\/a><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"introduction\">Introduction<\/h2>\n\n\n\n<p>Even the most renowned frameworks, such as Symfony, are never immune to security flaws. Whatever application solution you choose, you need to be vigilant. Safeguards such as a ModSecurity application firewall and automatic attacker blocking (fail2ban), combined with a good outsourced backup policy, are essential. <\/p>\n\n\n\n<p><em>On LRob secure web hosting, our Linux servers support your application security with ModSecurity combined with fail2ban actively blocking attempts to exploit vulnerabilities; full outsourced backups are made daily with a one-year retention period. <a href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\">Choose LRob as your hosting provider,<\/a> is to benefit from a simple, secure hosting solution while adding a rigorous, available and passionate sysadmin to your team!<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"liste-des-failles-de-securite-symfony-decouvertes-novembre-2024\">Symfony security holes (November 2024)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cve-2024-51736-detournement-dexecution-de-commande-sur-windows-avec-la-classe-process\">CVE-2024-51736: Hijacking command execution on Windows with the Process class<\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Symfony versions =6, =7, &lt;7.1.7.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>This flaw enables execution to be diverted on Windows systems when the executable file <code>cmd.exe<\/code> is in the current working directory. The class <code>Process<\/code> could then execute this file, paving the way for malicious hijacking.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>Symfony has corrected this problem by forcing the <code>Process<\/code> to use the absolute path to <code>cmd.exe<\/code>.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-51736-command-execution-hijack-on-windows-with-process-class\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cve-2024-50341-la-methode-security-login-ignore-le-user-checker-personnalise\">CVE-2024-50341 : Security::login method ignores custom user_checker<\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Symfony versions &gt;=6.2, =7.0, =7.1, &lt;7.1.3.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>The method <code>Security::login<\/code> Symfony did not take into account the <code>user_checker<\/code> which could lead to unwanted connections.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>The patch now implements a call to the <code>user_checker<\/code> configured.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-50341-security-login-does-not-take-into-account-custom-user-checker\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cve-2024-50340-changement-denvironnement-via-une-requete\">CVE-2024-50340 : Change environment via a request<\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Symfony versions =6, =7, &lt;7.1.7.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>By manipulating a specific query string, users can change the kernel environment or debug mode when a PHP <code>register_argc_argv<\/code> is activated.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>The component <code>SymfonyRuntime<\/code> now ignores argv values for non-CLI environments.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-50340-ability-to-change-environment-from-query\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cve-2024-50342-enumeration-dadresses-et-de-ports-internes-via-no-private-network-http-client\">CVE-2024-50342: Enumeration of internal addresses and ports via NoPrivateNetworkHttpClient<\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Symfony versions =6, =7, &lt;7.1.7.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>With <code>NoPrivateNetworkHttpClient<\/code>some internal information could still be exposed, enabling the enumeration of IP addresses and ports.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>The customer <code>NoPrivateNetworkHttpClient<\/code> now applies blocked IP filtering from the start of host resolution.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-50342-internal-address-and-port-enumeration-allowed-by-noprivatenetworkhttpclient\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cve-2024-50343-reponse-incorrecte-du-validator-avec-une-entree-se-terminant-par-n\">CVE-2024-50343 : Incorrect Validator response with input ending in <code>\\n<\/code><\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Symfony versions =6, =7, &lt;7.1.4.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>Validation using a regular expression could be bypassed by inserting a <code>\\n<\/code> at the end of the input, resulting in an incorrect response from the Validator.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>Symfony now uses the regex modifier <code>D<\/code> to guarantee validation of the entire input.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-50343-incorrect-response-from-validator-when-input-ends-with-n\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"cve-2024-50345-redirection-ouverte-via-des-ur-ls-sanitisees-par-le-navigateur\">CVE-2024-50345: Open redirection via browser-sanitized URLs<\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Symfony versions =6, =7, &lt;7.1.7.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>By exploiting special characters in a URL, an attacker could hijack a redirect based on the class <code>Request<\/code> to send users to another domain.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>The method <code>Request::create<\/code> now checks URIs for invalid characters.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-50345-open-redirect-via-browser-sanitized-urls\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"twig-cve-2024-51754-appels-non-proteges-a-to-string-dans-un-sandbox\">Twig CVE-2024-51754: Unprotected calls to __toString() in a sandbox<\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Twig versions =3.12, &lt;3.14.1.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>In a sandbox environment, an attacker could call the <code>__toString()<\/code> of an object, even if this method was not authorized by the security policy, opening the door to a circumvention of sandbox restrictions.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>Sandbox mode now systematically checks the call to <code>__toString()<\/code> on all objects.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-51754-unguarded-calls-to-tostring-in-a-sandbox-when-an-object-is-in-an-array-or-an-argument-list\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"twig-cve-2024-51755-appels-non-proteges-a-isset-et-aux-acces-dobjets-de-type-array-dans-un-sandbox\">Twig CVE-2024-51755: Unprotected calls to __isset() and Array object accesses in a sandbox<\/h3>\n\n\n\n<p><strong>Versions concerned<\/strong><br>Twig versions =3.12, &lt;3.14.1.<\/p>\n\n\n\n<p><strong>Description<\/strong><br>In a sandbox environment, array-like objects could expose attributes without security checks. This allowed an attacker to access potentially sensitive properties.<\/p>\n\n\n\n<p><strong>Resolution<\/strong><br>Sandbox mode now controls the properties of Array objects and the call to <code>__isset()<\/code> after safety check.<\/p>\n\n\n\n<p><a href=\"https:\/\/symfony.com\/blog\/cve-2024-51755-unguarded-calls-to-isset-and-to-array-accesses-in-a-sandbox\" target=\"_blank\" rel=\"noopener\">See the official Symfony article<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion-et-recommandations-de-l-rob\">Conclusion and recommendations from LRob<\/h2>\n\n\n\n<p>These eight flaws show that even the most robust frameworks like Symfony are not immune to security vulnerabilities. Fortunately, the Symfony team reacted quickly to provide patches. And as it should be, the vulnerabilities were only made public after they had been patched. If you're using Symfony, make sure you update as soon as possible to protect your applications and your users.<\/p>\n\n\n\n<p>Never forget that no software solution is free from security flaws. Your vigilance must be continuous, and regular updates remain the best line of defense against security flaws and cyberthreats.<\/p>\n\n\n\n<div class=\"wp-block-group has-global-padding is-layout-constrained wp-container-core-group-is-layout-c385debf wp-block-group-is-layout-constrained\" style=\"border-width:1px;padding-top:var(--wp--preset--spacing--20);padding-right:var(--wp--preset--spacing--20);padding-bottom:var(--wp--preset--spacing--20);padding-left:var(--wp--preset--spacing--20)\">\n<p>At LRob, our servers offer optimal security:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>No Windows vulnerability<\/strong> : As our servers run on Linux, they are not affected by Windows-specific vulnerabilities.<\/li>\n\n\n\n<li><strong>Server application update<\/strong> Server software is updated daily and monitored 24\/7.<\/li>\n\n\n\n<li><strong>ModSecurity firewall<\/strong> : By actively filtering malicious requests, our firewall protects your applications.<\/li>\n\n\n\n<li><strong>Outsourced backups<\/strong> : We have daily outsourced backups to facilitate data recovery in the event of an incident, and you can also make your own backups to the FTP of your choice (<a href=\"https:\/\/pulseheberg.com\/cloud\/vps-storage\" target=\"_blank\" rel=\"noopener\">e.g. via a VPS Storage Cloud from PulseHeberg<\/a>) via Plesk.<\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-a89b3969 wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"\/en\/contact\/\">Contact us for more information<\/a><\/div>\n\n\n\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/www.lrob.fr\/en\/web-hosting\/\">Choose your LRob hosting<\/a><\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Apr\u00e8s un an sans faille, Symfony a d\u00e9voil\u00e9 ce 6 novembre 2024 sur son blog huit vuln\u00e9rabilit\u00e9s d&rsquo;un coup. Elles affectent diff\u00e9rentes versions du framework Symfony. Voici un r\u00e9sum\u00e9 de ces failles critiques, leurs impacts potentiels, ainsi que les solutions mises en place par Symfony. De quoi comprendre les implications de ces vuln\u00e9rabilit\u00e9s pour s\u00e9curiser [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":5774,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[28,5,4],"tags":[],"class_list":["post-5771","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-securite","category-blog","category-news"],"_links":{"self":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/5771","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/comments?post=5771"}],"version-history":[{"count":3,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/5771\/revisions"}],"predecessor-version":[{"id":5776,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/posts\/5771\/revisions\/5776"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media\/5774"}],"wp:attachment":[{"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/media?parent=5771"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/categories?post=5771"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.lrob.fr\/en\/wp-json\/wp\/v2\/tags?post=5771"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}