Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-51736 - Low Severity Vulnerability
Executes commands in sub-processes
Library home page: https://api.github.com/repos/symfony/process/zipball/6e75fe6874cbc7e4773d049616ab450eff537bf1
Dependency Hierarchy: - codeclimate/php-test-reporter-dev-master (Root Library) - padraic/phar-updater-v1.0.6 - padraic/humbug_get_contents-1.1.2 - composer/ca-bundle-1.3.3 - :x: **symfony/process-v5.4.11** (Vulnerable Library)
Found in base branch: master
Symphony process is a module for the Symphony PHP framework which executes commands in sub-processes. On Windows, when an executable file named "cmd.exe" is located in the current working directory it will be called by the "Process" class when preparing command arguments, leading to possible hijacking. This issue has been addressed in release versions 5.4.46, 6.4.14, and 7.1.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Publish Date: 2024-11-06
URL: CVE-2024-51736
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Release Date: 2024-11-06
Fix Resolution: symfony/process - v5.4.46,v6.4.14,v7.1.7
Step up your Open Source Security Game with Mend here