Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-7q22-x757-cmgc] Symfony http-security has authentication bypass #5046

Merged
merged 1 commit into from
Dec 3, 2024
Merged

[GHSA-7q22-x757-cmgc] Symfony http-security has authentication bypass #5046

merged 1 commit into from
Dec 3, 2024

Conversation

jderusse
Copy link

@jderusse jderusse commented Dec 3, 2024
edited
Loading

Updates

  • Affected products
  • CVSS v4
  • Description
  • Severity

Comments
Hello Github's team,

I'm Jérémy Derussé, member of the Symfony core team, and in charge of the security team.

We just discovered this advisory, and after investigation, we found that this is a false report.
Their is no such vulnerability, and the link to the patch is not related to any vulnerability fix.

Looks like someone created hundred of false CVE https://gist.github.com/1047524396 : all CVE registered in MITR have a backlink to the a gist created by this user

@github-actions github-actions bot changed the base branch from main to jderusse/advisory-improvement-5046 December 3, 2024 09:27
stof
stof reviewed Dec 3, 2024
View reviewed changes
advisories/github-reviewed/2024/11/GHSA-7q22-x757-cmgc/GHSA-7q22-x757-cmgc.json
"published": "2024-11-29T21:31:03Z",
"aliases": [
"CVE-2024-36611"
],
"summary": "Symfony http-security has authentication bypass",
"details": "In Symfony, a security vulnerability was identified in the FormLoginAuthenticator component, where it failed to adequately handle cases where the username or password field of a login request is empty. This flaw could lead to various security risks, including improper authentication logic handling or denial of service.",
"details": "no security issue.\nFlase report",
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"details": "no security issue.\nFlase report",
"details": "no security issue.\nFalse report",

@jderusse jderusse mentioned this pull request Dec 3, 2024
Merged
@shelbyc
Copy link
Contributor

shelbyc commented Dec 3, 2024

👋 Good morning @jderusse, thank you for letting me know about the lack of valid vulnerabilities underlying GHSA-7q22-x757-cmgc and GHSA-cg28-v4wq-whv5. I'm preparing to withdraw the advisories now.

In addition to having these advisories withdrawn, I would also suggest that you and/or another Symfony team member go to https://cveform.mitre.org to file disputes of CVE-2024-36610 and CVE-2024-36611 with MITRE.

@jderusse jderusse mentioned this pull request Dec 3, 2024
Merged
@advisory-database advisory-database bot merged commit db87707 into jderusse/advisory-improvement-5046 Dec 3, 2024
2 checks passed
@advisory-database
Copy link
Contributor

Hi @jderusse! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

@advisory-database advisory-database bot deleted the jderusse-GHSA-7q22-x757-cmgc branch December 3, 2024 16:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jderusse @shelbyc @stof