CVE-2024-36611: Withdrawn Advisory: Symfony http-security has authentication bypass
(updated )
Withdrawn Advisory
This advisory has been withdrawn because the report is not part of a valid vulnerability. This link is maintained to preserve external references. For more information, see advisory-database/pull/5046.
Original Description
In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.
References
- gist.github.com/1047524396/3581425e0911b716cf8ce4fa30e41e6c
- github.com/advisories/GHSA-7q22-x757-cmgc
- github.com/github/advisory-database/pull/5046
- github.com/symfony/symfony/blob/v7.0.7/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
- github.com/symfony/symfony/commit/a804ca15fcad279d7727b91d12a667fd5b925995
- nvd.nist.gov/vuln/detail/CVE-2024-36611
Detect and mitigate CVE-2024-36611 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →