CVE-2024-51736: Symfony vulnerable to command execution hijack on Windows with Process class
On Window, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/process/CVE-2024-51736.yaml
- github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-51736.yaml
- github.com/advisories/GHSA-qq5c-677p-737q
- github.com/symfony/symfony
- github.com/symfony/symfony/commit/18ecd03eda3917fdf901a48e72518f911c64a1c9
- github.com/symfony/symfony/security/advisories/GHSA-qq5c-677p-737q
- nvd.nist.gov/vuln/detail/CVE-2024-51736
- symfony.com/cve-2024-51736
Detect and mitigate CVE-2024-51736 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →