Understanding CVE-2024-50340 – Remote Access to Symfony Profiler
IONIX Tracks CVE-2024-50340 Symfony Profiler – See if You’re Impacted
This post is based on ongoing security research – and will continue to be updated as we get additional information…
In this article
What is Symfony Profiler?
Symfony Profiler is a development tool that gives detailed information about the execution of any request.
Symfony Profiler Remote Access Vulnerability
According to security researcher nol_tech CVE-2024–50340 is a critical vulnerability (CVSS: 7.3) affecting Symfony applications when the PHP directive register_argc_argv is enabled.
By appending ?+--env=dev to a URL, attackers can force the application into the dev environment, granting remote access to the Symfony profiler. This exposure can lead to the leaking of sensitive information and potentially executing arbitrary code.
Symfony versions <5.4.46; >=6, <6.4.14; >=7, <7.1.7 of the Symfony Runtime component are affected by this security issue. The issue has been fixed in Symfony 5.4.46, 6.4.14, and 7.1.7.
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes. All users are advised to upgrade.
NIST Database article for CVE-2024-50340 is here.
According to the Symfony site, SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes. The patch for this issue is available here for branch 5.4.
IONIX customers will find impacted assets easily identified in the threat center of the IONIX portal.
