CVE-2024-28861

2024-03-2217:15:07

CWE-502

GitHub_M

web.nvd.nist.gov

cve-2024-28861

symfony

php

vulnerability

rce

deserialization

nvd

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.8

Confidence

High

EPSS

Percentile

9.0%

JSON

Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in sfNamespacedParameterHolder class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue.

Affected configurations

Vulners

Vulnrichment

Node

friendsofsymfony1symfony1Range1.1.0–1.5.19

VendorProductVersionCPE
friendsofsymfony1symfony1*cpe:2.3:a:friendsofsymfony1:symfony1:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
friendsofsymfony1	symfony1	*	cpe:2.3:a:friendsofsymfony1:symfony1::::::::

CNA Affected

[
  {
    "vendor": "FriendsOfSymfony1",
    "product": "symfony1",
    "versions": [
      {
        "version": ">= 1.1.0, < 1.5.19",
        "status": "affected"
      }
    ]
  }
]