CVE-2024-28861 Gadget chain in Symfony 1 due to uncontrolled unserialized input in sfNamespacedParameterHolder

2024-03-2216:43:18

CWE-502

GitHub_M

www.cve.org

cve-2024-28861

gadget chain

symfony 1

uncontrolled unserialized input

remote code execution

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

Percentile

9.0%

JSON

Symfony 1 is a community-driven fork of the 1.x branch of Symfony, a PHP framework for web projects. Starting in version 1.1.0 and prior to version 1.5.19, Symfony 1 has a gadget chain due to dangerous deserialization in sfNamespacedParameterHolder class that would enable an attacker to get remote code execution if a developer deserializes user input in their project. Version 1.5.19 contains a patch for the issue.

CNA Affected

[
  {
    "vendor": "FriendsOfSymfony1",
    "product": "symfony1",
    "versions": [
      {
        "version": ">= 1.1.0, < 1.5.19",
        "status": "affected"
      }
    ]
  }
]