Описание
Symfony's Security::login does not take into account custom user_checker
Description
The custom user_checker defined on a firewall is not called when Login Programmaticaly with the Security::login method, leading to unwanted login.
Resolution
The Security::login method now ensure to call the configured user_checker.
The patch for this issue is available here for branch 6.4.
Credits
We would like to thank Oleg Andreyev, Antoine MAKDESSI for reporting the issue and Christian Flothmann for providing the fix.
Ссылки
- https://github.com/symfony/symfony/security/advisories/GHSA-jxgr-3v7q-3w9v
- https://nvd.nist.gov/vuln/detail/CVE-2024-50341
- https://github.com/symfony/symfony/commit/22a0789a0085c3ee96f4ef715ecad8255cf0e105
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/security-bundle/CVE-2024-50341.yaml
- https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50341.yaml
- https://symfony.com/cve-2024-50341
Пакеты
symfony/security-bundle
>= 6.2.0, < 6.4.10
6.4.10
symfony/security-bundle
>= 7.0.0, < 7.0.10
7.0.10
symfony/security-bundle
>= 7.1.0, < 7.1.3
7.1.3
symfony/symfony
>= 6.2.0, < 6.4.10
6.4.10
symfony/symfony
>= 7.0.0, < 7.0.10
7.0.10
symfony/symfony
>= 7.1.0, < 7.1.3
7.1.3
Связанные уязвимости
symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
symfony/security-bundle is a module for the Symphony PHP framework which provides a tight integration of the Security component into the Symfony full-stack framework. The custom `user_checker` defined on a firewall is not called when Login Programmaticaly with the `Security::login` method, leading to unwanted login. As of versions 6.4.10, 7.0.10 and 7.1.3 the `Security::login` method now ensure to call the configured `user_checker`. All users are advised to upgrade. There are no known workarounds for this vulnerability.
symfony/security-bundle is a module for the Symphony PHP framework whi ...